In our interconnected world, data sharing is crucial for business operations and personal interactions. Whether sharing customer information, collaborating with partners, or using cloud services, data is always on the move. However, this convenience comes with the responsibility to ensure data is shared securely and responsibly.
In data protection terms there are two considerations which need to be addressed:
- Whether there are adequate legal safeguards in place to allow the transfer to take place; and
- Whether there are adequate organisational and technical measures in place to protect the data being shared
In this blog, we focus on the first of these considerations, how we can lawfully share personal data.
Data Processors
Article 28 of the GDPR requires data controllers to use processors who provide sufficient guarantees to protect personal data. These guarantees must be included in a binding contract with specific clauses outlined by the GDPR.
Unlike ‘Standard Data Protection Clauses,’ (see International Transfers) the wording of these clauses is not mandated and can vary, making verification difficult. Using a checklist and seeking legal help is advisable.
These clauses ensure appropriate technical and organizational measures are in place to meet GDPR requirements and protect data subjects’ rights. The contract ensures the processor acts only on the controller’s instructions, maintains confidentiality, implements security measures, and obtains consent for sub-processing.
A Data Processing Agreement (DPA) must also be in place, specifying the nature, purpose, types of personal data, and duration of the processing. The DPA can be part of the contract, usually as a schedule.
Joint Data Controllers
Joint Data Processors are explicitly mentioned in the regulation, requiring a Data Sharing Agreement (DSA).
Joint Controllers are two controllers using the same data for similar purposes, such as two organizations sharing data collected at a trade show for marketing. This might confuse data subjects about who controls their data or handles complaints.
A DSA sets the terms of data sharing, ensuring transparency and cooperation between parties when a data subject makes a request. It also puts safeguards in place to protect data subjects. A DSA is required under Article 29 of the GDPR and must not be omitted.
Data Controllers
Data protection between Data Controllers is usually covered in a contract. For example, an organization engaging a pension provider should address data protection concerns in their contract. Since both parties control the data for their own purposes, these clauses are typically limited and not mandated by regulation. However, having a sharing agreement is good practice.
Data protection regulation requires ‘Accountability,’ so documenting and recording assessments is crucial for compliance. A solution like ProvePrivacy can help with this.
International Data Sharing
To share personal data internationally, additional safeguards are needed. These vary depending on whether the destination is an “Adequate Country” or a “Third Country.”
Adequate Countries
An “adequate country” is a non-EU country that the European Commission has determined provides data protection equivalent to the EU. This is decided through an adequacy decision, assessing the country’s data protection laws, enforcement, and commitments.
Countries with an adequacy decision include Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK, and Uruguay. This list can change and is available here.
Data transfers to these countries can occur without additional safeguards, similar to within the EU.
Third Countries
A “third country” is any country outside the European Economic Area (EEA), which includes EU member states, Iceland, Liechtenstein, and Norway. When transferring personal data to a third country, special rules and safeguards must ensure data protection.
An adequacy decision by the European Commission confirms that a third country provides comparable data protection to the EU, allowing transfers without additional safeguards. If no adequacy decision exists, appropriate safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) must be in place. These pre-approved clauses cannot be altered, or they become invalid.
Other safeguards, such as codes of conduct, are less common. If no safeguards exist, data transfers may still be possible with consent from data subjects or limited approval from the regulator for one-off transfers with a compelling legitimate interest.
Regular audits and assessments should ensure ongoing compliance and address potential risks associated with data sharing.
United States
The United States is not an ‘adequate country,’ but the EU-U.S. Data Privacy Framework (DPF) provides a level of assurance at the organizational level. This framework, developed by the U.S. Department of Commerce and the European Commission, allows U.S. organizations to self-certify their adherence to privacy principles, ensuring EU data subjects’ rights are protected. The UK has adopted this framework for its own purposes.
Data Protection Professionals should remain vigilant about changes to this framework, as it is considered by some to be on thin ice. Legal scrutiny and potential invalidation, similar to the EU-U.S. Privacy Shield’s fate in the Schrems II decision, could jeopardize the framework’s validity and disrupt data transfers. Concerns about U.S. government surveillance and the adequacy of privacy protections for UK data subjects remain contentious issues.
Conclusion: Prioritise Security, Responsibility, and Awareness
In conclusion, data sharing is essential, but it comes with the responsibility to ensure lawful and responsible handling. Legal safeguards and technical measures are crucial for lawful data sharing.
For data processors, Article 28 of the GDPR mandates binding contracts with specific clauses to protect personal data. Joint Data Controllers require a Data Sharing Agreement (DSA) to ensure transparency and cooperation. Data Controllers should have contracts addressing data protection concerns, emphasising accountability.
International data sharing requires additional safeguards, varying by destination. Adequate countries have EU-equivalent data protection, while third countries need specific safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Regular audits and assessments are vital for compliance.
The EU-U.S. Data Privacy Framework provides assurance for U.S. data transfers, but vigilance is needed due to potential legal challenges. Ensuring robust data protection practices is key to maintaining trust and compliance in data sharing activities.
Get in touch to see how the ProvePrivacy platform can assist in avoiding these pitfalls.
