Transfers of personal data outside of the European Economic Area (EEA)

General

The University of Dundee has responsibilities concerning the processing of personal data in terms of the General Data Protection Regulation (GDPR) and associated legislation. All staff and students are expected to respect the requirements of GDPR and ensure they do not undertake activities that are contrary to those requirements.

Any transfer of personal data to a third party (including sharing, transfer or processing on behalf of the University) must be governed by an appropriate agreement that meets the requirements of GDPR. There are no exceptions to this general requirement. The University has prepared style (standard) agreements to facilitating such transfers. 

Where data is transferred outwith the European Economic Area (EEA), additional requirements apply. This guidance concerns such international transfers.

Scope

This guidance is for any member of University staff who may be working with colleagues, partners or suppliers on activity which requires personal data to be shared beyond the EEA. When personal data is transferred outside of the EEA we must meet the requirements of GDPR and ensure that measures are in place to protect the personal data we are transferring. This type of transfer of data is known as a ‘restricted transfer’.

What countries are in the EEA?

The EEA Countries consist of the European Union (EU) member states and the European Free Trade Association (EFTA) States:

• The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
• The EFTA member states are Iceland, Liechtenstein, Norway and Switzerland. Should the UK exit the European Union in 2019 in a manner that does not include reciprocal data protection arrangements, the rules for international transfers are likely to apply to all overseas data processing, sharing or partnerships, regardless of whether the other party is in the EEA.

Matters to consider

Before making a restricted transfer you should consider the following:

• can you achieve your aims without sending personal data?
• can the data be anonymised so that it is never possible to identify individuals?

If the answer to either of these questions is yes, you can transfer the data outside of the EEA if you either remove the personal data altogether or ensure that it is wholly anonymous.

If the answer to either question is no then you will require to make a restricted transfer.

When can a restricted transfer be made

A restricted transfer can be made between two parties if they meet the specific requirements of GDPR. For the University this will normally mean that they have entered into a contract incorporating standard data protection clauses. These clauses are known as ‘standard contractual clauses’ or ‘model clauses’.

When entering into a contract you must:

• use a style of agreement that includes the standard contract clauses
• use the standard contract clauses in their entirety and without amendment
• refrain from negotiating the terms of the clauses

Style agreements

The University has style contracts that include the standard contract clauses. 

If you feel that the standard contract clauses in the style contracts are not suitable in your circumstances, please contact Information Governance for further guidance. You must not proceed to transfer personal data without seeking input from Information Governance on the safeguards for the data and the appropriate lawful basis for it to take place.

You must not enter into an agreement that requires the transfer or sharing of personal data if you are not sure that the contract is sufficient to allow a restricted transfer to be made.

Who to contact

If you require any additional information or guidance in relation to any transfers of personal data, including international transfers, please contact Information Governance at dataprotection@dundee.ac.uk.

Change control