What you need to know.
Do you sometimes transfer personal data to other undertakings (intra-group or third parties)? If so, additional obligations apply. Transfer of personal data does not necessarily require an active transfer of such data. Even if you merely store personal data in the cloud / on servers, and the cloud / IT provider has access to these personal data, this will be regarded as a transfer.
A transfer of personal data within the EEA does not pose a problem, since a uniform level of protection is applied throughout the EEA. However, a transfer outside the EEA is subject to additional conditions. In each case you must (i) conclude an agreement with this undertaking, if it concerns a processor / joint controller (see countdown 09), (ii) inform the data subjects about this transfer (see countdown 06) and (iii) guarantee that the legislation of this country offers an equivalent level of protection for personal data equivalent to that of the GDPR, if this undertaking is located in a country outside the EEA.
For some countries (e.g. Canada and Switzerland), the European Commission has already adopted an adequacy decision confirming this adequate level of protection. With regard to transfers to other countries, you will need to adopt binding corporate rules or conclude an international transfer agreement. You can use the model agreement of the European Commission for this purpose. If this is not possible, you will need to request the explicit consent of the data subjects for this transfer.
What you need to do by 25 May 2018.
First of all, within your own undertaking you must identify all other undertakings to which you transfer personal data. Secondly, for each of these undertakings you must determine where they are established and where their servers are located.
In a next step, you must conclude the necessary agreements with these undertakings if they qualify as a processor / joint controller and personal data are transferred outside the EEA.
Finally, in order to inform the data subjects, you need to incorporate into your privacy statement an acknowledgement that personal data are transferred to other undertakings.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - December 2018
Three people can only keep a secret if two are dead. A European recipe for trade secrets.