Transferring Data Outside of the EEA

Transferring Data Outside of the EEA

It is considered that countries within the European Economic Area (EEA) have adequate, legal protection in place to be able to transfer personal data securely.

You may transfer personal data to countries within the EEA on the same basis as you may transfer it within the UK, as is expressed by principle 8 of the Data Protection Act.

For example, if you have a British client buying a house in France, then the relevant authorities and businesses in France will need to receive the information of your client.

If you have a British client buying a house on an island in the Caribbean, however, then you will need to ensure that the territory has adequate data security measures in place before sending any personal data.

Transferring Data Outside of the EEA

Before sending personal data outside of the EEA, the ICO recommends you ask yourself the following questions:

  • Do you need to transfer personal data abroad?
  • Are you transferring the data to a country outside the EEA or will it just be in transit through a non-EEA country?
  • Have you complied with all the other data protection principles?
  • Is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection?

If the country is not on the EU Commission’s list, then:

  • Can you make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case’?
  • If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?