What is a transfer?
The ICO's guidance pages on "International Transfers" walks through 6 questions on its checklist of dealing with international transfers. For the purposes of this blog, we are focussed on question 1: Are we planning to make a transfer of personal data outside the UK?
The UK GDPR must apply to the personal data which is subject to the proposed transfer. But, whilst often we focus on "what is a transfer?", the ICO has provided some clarity on what is not a transfer:
- UK consumer to non-UK business: There is not a transfer where the data is collected directly from the consumer by an entity outside the UK.
- Same legal entity: There is not a transfer where the receiver of the data located outside the UK is not a separate entity. In order to qualify as a transfer, there must be a different controller or processor receiving or being given access to the data. This means that where an employee employed by a UK company is located outside the UK, the access or receipt of UK personal data by that employee from a location outside the UK does not constitute a transfer as there is no different entity receiving the data. It is also not then a transfer if a non-UK business collects data from a UK branch office (or its own UK-based employee).
- Processor to Controller: Where a processor is returning personal data back to the same controller this is not a transfer.
- Routing data through a country: Where personal data is transferred between two UK organisations, but by virtue of systems used, it is routed through a non-UK country, this is not a transfer provided that it is not accessed or manipulated while in those countries.
Further guidance on transfers
The ICO also provides further guidance on determining the transfer obligations between parties.
A frequent concern in practice are for parties to determine who is in fact responsible for putting in place the transfer mechanism needed.
Whilst not specifically said in black and white, as part of an example of who is responsible for the transfer, the ICO suggests it views transfers of data as following the contractual flow of data, and not the actual flow. See this text and example (bold and underline added for emphasis) from the ICO:
"It is not a restricted transfer if you are sharing personal data under a contract with a UK service company, even if the data flows from yourself to that service company’s processor which is located outside the UK, for example. In that situation the restricted transfer may take place between the UK service company and its processor located outside the UK.
A UK healthcare company enters into an agreement with a UK processor for data analytic services on its patient data. The analytics are carried out by a sub-processor located outside the UK. The data flows directly from the UK company to the overseas sub-processor.
The UK healthcare company does not need to comply with the transfer rules as the restricted transfer takes place between the UK processor and its sub-processor."
The ICO indicates that only the entity who "initiates and agrees to the transfer" is responsible for compliance with the rules on transfers (i.e. in the scenario above, the transfer responsibility falls to the UK processor in its engagement of its subprocessor). However, whilst the UK healthcare company (the controller) is not responsible for the transfer between the UK processor and its subprocessor, it would have other obligations under the UK GDPR about that data flow (e.g. due diligence on the UK processor to confirm how it complies with the transfer rules).
What does this guidance mean in practice?
This guidance clearly provides some clarity on how the ICO sees transfers working in practice and many UK based organisations will no doubt welcome examples that reflect the type of sharing and circumstances organisations may have questions about. The position on scenarios not being a transfer will also support efforts within the business to identify its data flows and transfer compliance.
However, it is important to note that whilst the ICO has taken a more practical and pragmatic view, it does not mean that the analysis as to what is / is not a transfer would be accepted by all EU regulators. Whilst the EDPB guidance on transfers does support some of these points (for example, that there is no transfer in the context of a "same legal entity" scenario), other positions like following the contractual flow for data transfers, may not be an approach which is supported so explicitly across the EU or in guidance.
Organisations considering if or how to use the TRA tool should check out our blog on this topic. Looking ahead, the ICO plans to publish worked examples of the tool as well as guidance on how to use the IDTA and the UK Addendum to the EU SCCs.
Sign up to our email digest