Where do you to transfer personal data? In today’s globalised business world where companies merge worldwide and save costs by outsourcing certain business processes (such as IT services or payroll accounting), international data transfers are an integral part of daily business. When establishing a record of processing activities, you must also indicate where you transfer the personal data to and with whom you share the personal data you have collected. Your company remains the responsible data controller for the data processing operation regardless of the fact whether or not you transfer data to a recipient in another country. This means that your company, being the data controller transferring the data, shall ensure that the data subjects’ personal data categories are adequately protected in the course of the transfer. The following text will show you how difficult it can be to map data transfers abroad.
Risks of data transfers - What you should keep in mind
Are you planning to transfer personal data outside of Austria or are you already doing so? Consider the following aspects to determine whether your company is transferring data to an external recipient.
Searching for and finding points of reference
In a first step, look for points of reference in the existing documentation: is there, e.g., a database stating data transfers to certain locations? Or has your company already notified the Austrian Data Protection Authority of its data processing operations in the past? Does your company rely on a so-called cloud solution or does it save the data locally? Are you a large corporation with subsidiaries or branches outside of Austria? Do you cooperate with suppliers in other countries? Does an external payroll provider handle your company’s payroll accounting and do your employees receive electronic payslips? Is your parent company that is located in a different country responsible for the IT maintenance of your company’s computers?
Integrate the responsible people from an early stage on
Keep in mind that data privacy is a topic that concerns everybody in the company: for this reason, it is a good idea to involve the HR, Marketing, IT and other departments in your company in all steps you are taking right from the start. Schedule meetings with these departments on a regular basis in order to reflect on the on-going process and involve data privacy experts at an early stage of the process. Consider making a good investment by seeking professional advice.
What you should know
Also under the GDPR, data transfers to so-called third countries remain a complex issue. Third countries are those that belong to neither the European Union nor the European Economic Area (Iceland, Norway and Liechtenstein). Examples include China, Russia, India and the USA.
But let us start with the good news: once you have identified all parties to which you send data and these are located in EU or EEA member states, the data transfer is legitimate provided that the recipient has a legitimate interest to the transfer too, or, in the case of a data processor, a respective contractual agreement has been put in place. This also applies to data transfers to countries with an adequate level of data protection (which has been determined by the EU). These include Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Attention when you transfer personal data to the USA! Generally, the data protection level in the USA is not considered being adequate. In order to still facilitate data transfers for European business partners, the EU and USA have entered into the “EU-US Privacy Shield” framework. To make use of this arrangement, the respective US-based company has to register itself to a specific list and self-certify itself. Prior to transferring data to this US company, your company only has to check whether the recipient is registered in the list of the US Department of Commerce and verify that the certification has not yet expired.
If the recipient does not fit in any of the above mentioned categories , your company, being the data controller, still has to ensure that the recipient provides an adequate level of data protection. In such a case it is strongly recommended to use the standard contractual clauses drafted by the EU. Such a contract can, in principle, be used without first consulting the supervisory authority provided that no changes are made to its provisions. If individual clauses have been changed by the contracting parties, the contract has be approved by the supervisory authority. Please keep in mind that data transfers that occur outside the scope of commissioned data processing operations always require a legitimate interest in the data in order to be considered legitimate.