What are our other key UK GDPR obligations in the context of international transfers?
In detail
- What are our other key UK GDPR obligations in the context of international transfers?
- What are our other key responsibilities if we’re a controller in relation to restricted transfers?
- What are our other key responsibilities if we’re a processor in relation to restricted transfers?
- If we’re initiating a restricted transfer to a controller, what checks should we make about that controller?
- If we’re initiating a restricted transfer to a processor, what checks should we make about that processor?
What are our other key UK GDPR obligations in the context of international transfers?
The UK GDPR transfer rules are only one part of the wider compliance requirements under the UK GDPR.
We’ve included a few of these wider compliance requirements in the sections below. These are particularly relevant in your role as a controller or processor in the context of transfers. However, this isn’t an exhaustive list.
For further information on the wider compliance requirements, see our UK GDPR guidance and resources.
What are our other key responsibilities if we’re a controller in relation to restricted transfers?
If you’re a controller initiating, or allowing your processor to initiate, restricted transfers, you have other responsibilities in relation to those transfers.
For example, you must ensure that:
- the restricted transfers comply with the data protection principles (article 5);
- the restricted transfers have a lawful basis (article 6);
- you inform people about the restricted transfers of their personal information (article 12);
- you put in place appropriate technical and organisational measures and can demonstrate that the restricted transfers are in accordance with the UK GDPR (article 24);
- the restricted transfers are recorded in your article 30 records of processing activities, if relevant; and
- you put in place appropriate technical and organisational measures to ensure that the restricted transfers are made securely (article 32). The geographical location of the receiver’s processing is particularly relevant.
In addition, where you’re initiating a restricted transfer to your processor, you must:
- meet the requirements of article 28, for example:
- only using a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements, and
- ensuring your processor has put in place a contract with any sub-processors that requires an equivalent level of protection for the personal information as you have in your contract with your processor; and
- carry out a data protection impact assessment (DPIA) if the restricted transfer and the processor’s processing is likely to result in a high risk to people the transferred information is about (article 35).
You may also have to meet other requirements set out in a contract, such as a data sharing agreement or any other contract that involves sharing personal information.
Further reading – ICO guidance
What are our other key responsibilities if we’re a processor in relation to restricted transfers?
If you’re a processor initiating restricted transfers, you have other key responsibilities in relation to those transfers under article 28 (Processor) and article 32 (Security of Processing).
For example, you must:
- transfer personal information only on documented instructions from your controller (in your contract or in subsequent written instructions); and
- put in place appropriate technical and organisational measures to ensure the security of personal information when you transfer it. The geographical location of the receiver’s processing is particularly relevant.
If you’re initiating a restricted transfer to your sub-processor, you must ensure that:
- you’ve obtained your controller’s general or specific authorisation to contract with that sub-processor;
- your sub-processor has provided sufficient guarantees that it has in place appropriate technical and organisational measures to ensure its processing meets UK GDPR requirements, including in respect of any transfers it will be initiating; and
- your sub-processor has a contract in place with its sub-processors that contains equivalent data protection obligations to those in your contract with your controller.
You may also have a responsibility under your article 28 processor contract (eg to ensure that you put in place appropriate technical and organisations measures to help your controller comply with the UK GDPR).
Further reading – ICO guidance
If we’re initiating a restricted transfer to a controller, what checks should we make about that controller?
Whenever you make a restricted transfer to a controller, you should carry out reasonable and proportionate checks that the controller will comply with its data protection obligations and the UK GDPR (if it applies to the controller).
These obligations are either:
- under local data protection laws, if the restricted transfer is made under adequacy regulations; or
- under your appropriate safeguards.
If you’re relying on appropriate safeguards to make the restricted transfer, you may have covered some of these checks in your TRA. If you’re relying on adequacy regulations or exceptions, you’re not required to complete a TRA. However, you should still complete these checks about the receiver.
These checks may help you meet some of your own responsibilities mentioned above. See What are our other key responsibilities if we’re a controller in relation to restricted transfers?
What about onward transfers?
If there might be onward transfers, you should also check how the receiving controller ensures both itself and its receivers will comply with their data protection obligations. For example, you could map out all onward transfers.
The level of detail you need for these checks depends on the circumstances, including:
- the risks to people if you transfer their information to the controller; and
- the likelihood of the information being further transferred (and the details of any likely onward transfers).
What practical steps could we take based on these checks?
Depending on the outcome of your checks, you could consider any or all of the following steps to reduce any risks you’ve identified:
- Reduce or pseudonymise the personal information you’re transferring.
- Review copies of the receiver’s contracts or risk assessments for onward transfers.
- Require additional audits or checks of the controller’s processing and onward transfers in a contract (including copies of the receiver’s contracts or risk assessments for onward transfers);
- Prohibit or impose conditions on any onward transfers in your contract with the controller.
- Consider whether any contractual limits of liability are sufficient.
You could also consider other additional steps to reduce any risks you identify.
If we’re initiating a restricted transfer to a processor, what checks should we make about that processor?
Whenever you make a restricted transfer to a processor, you must make reasonable and proportionate checks that the processor will comply with its data protection obligations and the UK GDPR (if it applies to the processor).
These obligations will be found in the article 28 processor contract, as well as either:
- under local data protection laws, if the restricted transfer is made under adequacy regulations; or
- under your appropriate safeguards.
If you’re a processor initiating a restricted transfer to your sub-processor, you should be required to make these checks under your article 28 contract with your controller.
If you’re relying on appropriate safeguards to make the restricted transfer, you may have covered some of these checks in your TRA. If you’re relying on adequacy regulations or exceptions, you’re not required to complete a TRA. However, you should still complete these checks about the receiver.
These checks may help you meet some of your own responsibilities mentioned above. See:
- What are our other key responsibilities if we’re a controller in relation to restricted transfers?; or
- What are our other key responsibilities if we’re a processor in relation to restricted transfers?
What about onward transfers?
If there might be onward transfers, you should also check how the receiving processor ensures both itself and its receivers will comply with their data protection obligations. For example, you could map out all onward transfers.
The level of detail you need for these checks depends on the circumstances, including:
- the risks to people if you transfer their information to the controller; and
- the likelihood of the information being further transferred (and the details of any likely onward transfers).
What practical steps could we take based on these checks?
You must consider the outcome of your checks when deciding on the “sufficient guarantees” you need from your processor, as required by article 28.
Depending on the outcome of your checks, you could consider any or all of the following steps:
- Reduce or pseudonymise the personal data you’re transferring.
- Review copies of the processor’s contracts or risk assessments for onward transfers.
- Require additional audits or checks of the processor’s processing and onward transfers in a contract (including copies of the receiver’s contracts or risk assessments for onward transfers).
- Prohibit or impose conditions on any onward transfers by contract.
- Consider whether any contractual limits of liability are sufficient.
You could also consider other additional steps to reduce any risks you identify.
Further reading – ICO guidance
- Principle (a): Lawfulness, fairness and transparency
- Guide to accountability and governance
- A guide to data security
- Data sharing: a code of practice
- Contracts and liabilities between controllers and processors
- Data Protection Impact Assessments (DPIAs)
This is not an exhaustive list.