TRU GDPR Blog – The GDPR and International Data Transfers and Processing

TRU GDPR Blog –  The GDPR and International Data Transfers and Processing

 International Data Transfers and Processing

Welcome to this instalment of our blog series concerning the GDPR . This blog will look at the responsibilities the GDPR places on data controllers and data processors when an individual’s data (the data subject’s) is shared with another EU member state. Additionally, it will look at the impact GDPR will have on organisations who share a data subject’s information with an organisation outside the EU.

When an organisation operates in two or more EU member states, the organisation has an obligation to determine who their lead supervisory authority is, for example, the Information Commissioner’s Office (ICO) in the UK. In determining who the lead supervisory authority is the following criteria are used:

  • When a data subject’s data is processed or stored in more than one member state, the whereabouts within the EU of the main administrative centre of the organisation is key.. This will be where the decisions on the purposes for storing and processing data are made by ‘persons having significant control’ of the organisation.
  • When all data storage and data processing is conducted in a single state, the supervisory authority for that state will automatically be the lead authority. To illustrate this, if an organisation has administrative centres in the UK, France, and Italy, but all data processing and data storage is carried out in Italy, then the Italian Data Protection Agency (IDPA) is the supervisory authority regardless of the state originating the data.

Should an organisation wish to transfer data outside the EU to either a third country or to an international organisation, the GDPR imposes restrictions that are aimed at ensuring a level of protection for the individual that is at least the equivalent of the GDPR An individual’s personal data may only be transferred outside the EU if all the conditions of Chapter V of the GDPR are met. The minutiae of Chapter V are beyond the scope of this blog. However, a brief outline that would serve as a very loose rule is that data transfers are permissible if the Commission has decided that a third country, territory or an international organisation with an administration centre in an otherwise non-compliant country outside the EU  has ensured and proved an adequate level of protection.

Any organisation wishing to transfer data outside the EU for whatever purpose should seek not only the advice, but also the consent of their supervisory authority. Supervisory authorities are not there only to enforce the GDPR, but to assist organisations and individuals to understand and be compliant with the full requirements of the legislation.

Related Products

TRU Cloud

The right place in the cloud to run your Transportation Optimisation.

TMS made easy: the transportation management system combining cloud, mobile and social technologies for complete TMS capabilities.

TRU Cloud Brings Same-Day, Rapid-Deployment Transportation and Logistics Management.

View Product

TRU Connect

Integration is the key to clean seamless data movement between business systems.

In the past Transportation Platforms have often been implemented via a cumbersome combination of text file and manual operational processes, or complex inflexible API’s that can be expensive to build and maintain.

View Product

TRU Platform

Our transport management system "TRU Platform" is designed to help companies plan and manage transport operations that drive business growth. 

Optimise delivery schedules and track orders through to final delivery and Invoicing. TRU Platform also is a business analytics tool that transforms transportation data into meaningful views of order / fleet performance.

View Product

More from News