Welcome to this instalment of our blog series concerning the GDPR. This blog will look at the responsibilities the GDPR places on data controllers and data processors when an individual’s data (the data subject’s) is shared with another EU member state. Additionally, it will look at the impact GDPR will have on organisations who share a data subject’s information with an organisation outside the EU.
When an organisation operates in two or more EU member states, the organisation has an obligation to determine who their lead supervisory authority is, for example, the Information Commissioner’s Office (ICO) in the UK. In determining who the lead supervisory authority is the following criteria are used:
- When a data subject’s data is processed or stored in more than one member state, the whereabouts within the EU of the main administrative centre of the organisation is key.. This will be where the decisions on the purposes for storing and processing data are made by ‘persons having significant control’ of the organisation.
- When all data storage and data processing is conducted in a single state, the supervisory authority for that state will automatically be the lead authority. To illustrate this, if an organisation has administrative centres in the UK, France, and Italy, but all data processing and data storage is carried out in Italy, then the Italian Data Protection Agency (IDPA) is the supervisory authority regardless of the state originating the data.
Should an organisation wish to transfer data outside the EU to either a third country or to an international organisation, the GDPR imposes restrictions that are aimed at ensuring a level of protection for the individual that is at least the equivalent of the GDPR An individual’s personal data may only be transferred outside the EU if all the conditions of Chapter V of the GDPR are met. The minutiae of Chapter V are beyond the scope of this blog. However, a brief outline that would serve as a very loose rule is that data transfers are permissible if the Commission has decided that a third country, territory or an international organisation with an administration centre in an otherwise non-compliant country outside the EU has ensured and proved an adequate level of protection.
Any organisation wishing to transfer data outside the EU for whatever purpose should seek not only the advice, but also the consent of their supervisory authority. Supervisory authorities are not there only to enforce the GDPR, but to assist organisations and individuals to understand and be compliant with the full requirements of the legislation.