In the modern age of outsourcing, subcontracting, hosting and cloud services, personal data is frequently exported outside the UK. Under the Data Protection Act, there are strict rules about this.
And these rules change depending on where the data is being exported to. It is relatively straightforward where personal data is exported to another EU member state or to a member state of the European Economic Area, for example, although there are still rules to be complied with. It is more complicated where personal data is being exported outside the EU/EEA, as the rules depend on whether the country concerned has been designated by the European Commission as having adequate data protection laws. Where a country is not on the EU’s approved list, the rules are particularly stringent.
Critically - and this is especially relevant in relation to hosting and cloud services - the US is not on the EU’s approved list. This means that, unless the US business is a member of the EU-US Privacy Shield Framework, the most onerous requirements under the Data Protection Act will apply.
Getting it right means safely navigating the complex rules and putting in place the measures required by them. At Star Legal our expert data protection lawyers can help you understand what rules apply to your business and what you must do to comply with them. Where necessary, we can also prepare the formal agreements that your business will need to enter into with the other party to ensure that the data exporting complies with the Data Protection Act.
To find out what requirements your business will be subject to in regards to transferring personal data abroad, contact us today.