This account is part of the Walker series on the Data Protection (Guernsey Bailiwick) Act 2017 (‘DPL“) and deals with the transfer of personal data outside Guernsey. A “data transfer” occurs when an individual’s personal data is transferred outside Guernsey. International data transfers are a complex area of data protection and this briefing provides only an overview. of the main elements.
A related explanation of the purpose of the DPL, some of the key concepts used in the DPL, what the data principles are, and the rights of data subjects can be found here.
Are international data transfers permitted under the DPL?
Whether international data transfers are permitted under the DPL depends on whether international data transfers areeuropean union“), to Member States of the European Economic Area (“EEA“), to an appropriate jurisdiction, or where the transfer is made pursuant to available safeguards, or as permitted by ODPA.
As with Guernsey, there are several jurisdictions that have been subject to European Commission ‘adequacy’ decisions. An “adequacy” decision by the European Commission (“EC”) will limit all data transfers between the appropriate jurisdiction and the EEA and between appropriate jurisdictions outside the EEA, known as “third” will be given the go-ahead. Countries”. Jurisdictions deemed “adequate” by the EC are likely to have data protection regimes roughly equivalent to those in the EU. If the transfer is to an “appropriate” jurisdiction, the controller is free to transfer data to and from that jurisdiction without creating any additional legal requirements or taking any additional steps. Masu.
The European Commission has so far recognized the following jurisdictions as providing adequate protection:
- Andorra;
- Argentina;
- Canada (commercial entity);
- Faroe Islands;
- Guernsey;
- Israel;
- Isle of Man;
- Japan;
- Jersey;
- new zealand;
- South Korea;
- Switzerland;
- England;
- United States (commercial organizations participating in the EU-US Data Privacy Framework), and
- Uruguay.
There are some large jurisdictions (such as China) that do not provide legal protection for personal data in the same way as the EEA and third countries (“Unauthorized jurisdiction“).
Transfer based on available safeguards
Where the controller or processor is satisfied that one or more specific safeguards are in place with respect to the personal data and that there are mechanisms for data subjects to enforce their data. may transfer personal data to individuals in unauthorized jurisdictions. protect the rights of subjects and obtain effective legal remedies against further controllers or processors; Safety measures include:
- a legally binding and enforceable agreement between the transferor of personal data and the further controller or processor, if both the transferor and the further controller or processor are public authorities;
- Binding corporate regulations approved by ODPA or other competent supervisory authority under the provisions of legislation equivalent or similar to the GDPR.
- Standard data protection clauses.
- An approved code combined with further binding and enforceable undertakings of controllers or processors to apply all relevant safeguards within the code, including with respect to the rights of data subjects.or
- Approved mechanisms, combined with further controller or processor binding and enforceable undertakings to apply relevant safeguards within the mechanism, including with respect to data subject rights.
Among the safeguards mentioned, standard data protection clauses appear to be the most common safeguards adopted/implemented by controllers when carrying out international data transfers.
What are standard data protection clauses?
Standard data protection clauses. Also known as standard contractual clauses (“SCC“) or model clauses include contractual obligations for data exporters (based in Guernsey) and data importers (based in unauthorized jurisdictions), and for individuals to whom personal data is transferred. These Terms have been approved by the EC, available on the website and recognized by ODPA for transfer purposes.
Use of standard data protection clauses
In June 2021, the EC published a new set of SCCs for international data transfers. The first set of SCCs govern international data transfers (Standard Contractual Clauses for International Transfers). The second set of SCCs governs data processing agreements between controllers and processors (Standard Contractual Clauses for Controllers and Processors in the EU/EEA).
Guernsey businesses making new relocations will need to take advantage of the new EC SCC. ODPA recognizes that the new SCC is an appropriate transfer mechanism for transfers from Guernsey to unauthorized jurisdictions.
In November 2022, ODPA published the “EU Commission’s Guernsey Bailiwick Addendum to Standard Contractual Clauses (SCCs)” (“Guernsey AddendumThe Guernsey Addendum is a legal document that allows controllers to make limited amendments to protect people’s data when used in conjunction with the EC SCC. In the event of a conflict or inconsistency between the Guernsey Additional Clauses and the provisions of the EC, the SCC intends that the provision that provides the greatest protection to the data subject shall prevail.
Relocation impact assessment
If the administrator intends to rely on available safeguards, the DPL (and ODPA) requires the administrator to carry out a “transfer impact assessment” (“TIAThe TIA assists controllers in ensuring that the actual protection provided by available safeguards is sufficiently similar to the principles of the DPL, and provides data subjects whose transferred data is protected under the DPL. provides essentially the same level of protection. ODPA expects administrators to implement her TIP by conducting a risk assessment. This takes into account the protection contained in appropriate safeguards and the legal framework of the destination country, including laws governing access to data by public authorities.
[View source.]
