What is a data transfer?
A data transfer happens when personal data is processed, shared, added, uploaded, hosted, accessed, or sent outside Europe.
Why and how should I assess this?
Simply put, EU law says European levels of protection must travel with data. If data is transferred outside the EU, the following questions must be assessed:
Has the European Commission reached an “adequacy decision” about the country where the receiver is based?
Some countries have received the status of “secure third countries.” At present, the list consists of Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, United Kingdom, and South Korea.
Do appropriate safeguards cover the transfer?
If data is transferred outside Europe to a country not on the list of secure third countries, there must be a legal basis for the transfer. The legal basis is often the standard contract clauses approved by the European Commission (SCC’s).
Some vendors have added a description of their impact assessment for data transfers – this is a great sign and implies that the vendor has taken steps to ensure that their customers in Europe can continue to use them as a vendor.