What restrictions does the General Data Protection Regulation (GDPR) place on employers transferring employee data outside the European Economic Area?
An employer can transfer personal data outside the European Economic Area (EEA), for example to a benefits provider or to its servers based outside the EEA, only if the conditions set out in the General Data Protection Regulation (2016/679 EU) (GDPR) are met. The GDPR allows data transfers to a country, a territory or sector within a country, or an international organisation, that has been certified by the European Commission as having an adequate level of data protection in place. If there is no such adequacy decision, the employer can transfer data outside the EU if the recipient has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects (ie the employees) are available. The GDPR allows for these safeguards to be provided through:
- a legally binding agreement between public authorities or bodies;
- binding corporate rules (covering transfers within a group of undertakings);
- standard data protection clauses in the form of template transfer clauses adopted by the European Commission, or adopted by a supervisory authority (ie the Information Commissioner's Office in the UK) and approved by the European Commission;
- compliance with a code of conduct approved by a supervisory authority;
- an approved certification mechanism as provided for under the GDPR; or
- contractual clauses between the relevant parties, or provisions in administrative arrangements between public authorities or bodies, authorised by the relevant supervisory authority.
For example, personal data can be transferred to companies in the US that have signed up to the Privacy Shield framework, under which they commit to processing data in line with a set of principles and safeguards. The European Commission has made a formal decision that the Privacy Shield framework provides adequate safeguards.