Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

1. What happens if the organisation and data subjects are UK-based but the IT company which hosts the data is in the EU?

The UK organisation needs to comply with the UK GDPR. If they use a EU-based processor, they need to ensure they have a processor contract in place. If the processor is based in the EU, the UK organisation does not need to consider transfers safeguards because, under the UK GDPR, this is covered by adequacy regulations.

The EU processor needs to comply with their contractual obligations to the controller. As they are established in the EU, they also need to comply with processor obligations under the EU GDPR. This may have some implications for returning data to the UK, as EU transfer restrictions may apply.

We advise you to contact the EU processor’s local regulator for more advice on what they expect in this situation in order to comply with EU requirements.

2. What does “transit” mean? Is it the same as transferring the data?

No. Transit does not mean the same as transfer. If personal data is just electronically passed through another country but is not actually accessed in that country, then it is not a restricted transfer.