Global Data Transfer
Unlocking Global Data Mobility,
One Contract at a Time.
Any company that wishes to work with individuals or third parties who operate outside of their jurisdiction will need to transfer personal data. For most companies this is the case and international data transfers have become essential to the business-as-usual practices of companies.
Data Privacy regulations across the globe have implemented safeguards to ensure the business is run in a privacy safe manner. In this vein, four main mechanisms exist: Adequacy Decisions, Standard Contractual Clauses, Binding Corporate Rules, Transfer Impact Assessments, Derogations for Specific Situations.
How We Assess Data Transfers & Contractual Requirements
—
The requirements of the GDPR can be challenging to grasp, especially when determining which transactions necessitate these safeguards. We offer straightforward, proven solutions that can be customized to suit your specific requirements.
Our Advice
—
We advise you on transferring personal data to a particular country and to integrate the right mechanisms for the transfer. We coordinate with relevant Data Protection Authorities to understand the nuanced exceptions and limitations to the transfer of personal data abroad.
Evaluating Data Protection Provisions
—
Our Data Protection Agreement template establishes a proven privacy methodology which can be adapted to a variety of jurisdictions and types of vendors. It provides a standard and comprehensive set of Data Protection clauses which protects the personal data of your customers and employees. We further review the set Data Protection clauses from a contract with a vendor to ensure they meet the standard of GDPR and non-GDPR regulations.
Turnkey Solutions
—
We provide our own tailored transfer mechanism templates and adapt them to the sector you operate in and the jurisdiction receiving personal data. A range of formats can be provided for these templates, including leveraging the use of our partner’s automated software.
Outsourcing Requirements
—
We can manage and implement a clear framework to regulate data transfers to outside jurisdictions. We can externally be implemented as your DPO to coherently review Data Protection clauses within contracts and to implement Data Protection Agreements where needed.
In-house Expertise to Streamline Remediation
Coupled with our legally trained team's expertise, we specialize in interpreting and implementing GDPR and non-GDPR regulations within the current framework.
Our team's deep understanding guides us in selecting the most appropriate safeguards for each transaction, including Binding Corporate Rules and Standard Contractual Clauses. With substantial experience, we draft Data Protection clauses that align seamlessly with both GDPR and non-GDPR standards.
Standard Contractual
Clauses
Data Transfer Mechanisms
It has been envisioned that the use of Standard Contractual Clauses (SCCs) would be the main practical solution to the transfer of data to third countries. SCCs have now been implemented into contracts to ensure contractual safeguards are maintained for international data transfers. In the past year, many jurisdictions such as China and the European Union now demand SCCs to be in place for certain types of data transfers.
Key Considerations
-
The introduction of new SCCs at the end of 2022 negated the protections and safeguards provided by its old format meaning that contracts which have not been adapted are in breach of cross-border transfer requirements.
​
-
As these are legally binding clauses, instating the new SCCs can be burdensome and oftentimes selecting the correct Module and its variations can be an onerous task.
​
-
The task of implanting the new SCCs into existing and upcoming contracts should not be underestimated.
We have ample experience implementing SCCs into both simple and complex transactions. We use our tailored SCC template to analyze the data relationships with your vendors whether this be Controller-Controller, Controller-Processor, Joint Controllership or if you simply do not know.
We have identified a clear approach for the preparation of new contracts and the remediation of legacy/existing contracts. Our team thus offers a holistic process which supports you from the start to the finish of the implementation.
Binding Corporate
Rules
Data Transfer Mechanisms
In specific circumstances, companies utilize Binding Corporate Rules (BCRs) to create a unified internal Data Protection policy which regulates transfers with vendors and other third parties. We can assess whether BCRs are the correct route to regulate a particular international data transfer or if another approved transfer mechanism should be in place.
Conditions
—
The condition of enabling an organization to create its own BCRs is that they must firstly, comply with the GDPR. Secondly, the BCRs must obtain approval from a recognized Data Protection Authority. Both these requirements can be difficult for the average organization to fulfil, hence why we offer a BCR implementation service.
Support
—
Our consultants are experts in the specific requirements needed for international data transfers under Article 47 of the GDPR ensuring that they fulfil the requirements of transparency, data quality and security. We have experience dealing with Data Protection Authorities meaning that we can increase fluency BCRs that can be approved through simple liaison.
Data Transfer Mechanisms
Transfer Impact Assessments
Transactions concerning the transfer of personal data internationally must be assessed on a case-by-case basis even where SCCs or BCRs have been executed. Transfer Impact Assessments observe the risk to the personal data being transferred within the transaction.
For a typical organization operating on a global scale, a surprisingly large number of TIAs must be enacted to comply with the GDPR. Accessing the information needed from counterparties and further third-party vendors can be time-consuming more so in the absence of teams having the requisite privacy knowledge.
Our Approach
—
We provide a tried-and-tested solution. Our TIA template provides a holistic assessment of privacy risk through accounting for a number of stakeholders, varying types of personal data and jurisdictions to help you comply. We leverage our knowledge of both GDPR and non-GDPR regulations to assess the overall risk to the data of your clients and consumers.
With the use of our partners, we use software implementation and automation to tailor TIAs to the specific and up-to-date requirements of a range of GDPR and non-GDPR regulations. From this result, it can then be assessed whether SCCs and other contractual amendments need to be instated.
Staying vigilant for seamless data transfers and privacy compliance worldwide
Adequacy
Decisions
—
The European Commission alongside other Data Protection Authorities have outlined whitelisted countries to which international data transfers can take place without the necessity of additional contractual, technical, or organizational safeguards being implemented.
We maintain up-to-date checks on the approval of these third countries as adequate whether this has been set by the European Commission or other non-EU authorities. This will allow for seamless transfers of data which is beneficial for companies operating on a global scale.
Derogations for
Specific Situations
—
If none of the safeguards for the transfer of personal data apply, derogations for specific situations can be used where a Data Subject has consented to the transfer, or it is necessary for the performance of a contract for example.
To help your international data transfers be privacy complaint, we would conduct a risk assessment to assess the protections afforded to Data Subjects and the interests surrounding the transfer of data. This can be tailored to the specific type of personal data being used by you as well as acknowledging the specific data privacy landscape of the jurisdiction the data is being transferred from and to.