October 31st, 2017 | Sterling

GDPR: What You Need to Know About Cross-Border Data Transfers

Sterling is offering a 10-part webinar series about the changes to the way personal data is protected in the European Union when the EU General Data Protection Regulation (GDPR) applies on 25 May 2018. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduced the changes to data privacy laws to come. The fifth webinar in the series, “Cross-Border Data Transfers,” is now available on demand. The webinar, focusing on the transfer of personal data across borders, was presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher.

What is a Cross-Border Data Transfer?

A cross-border transfer of personal data occurs when data is accessed or accessible from another country. Typically, you would think that a transfer involves the movement of data from point A to point B (or in the international context, country A to country B). However, EU law is a little different. European law promotes the free flow of data between countries within the European Economic Area (EEA) while transfers of data outside the EEA are generally restricted. For example, even if the data is stored in the EU but is accessed or accessible from Australia, then there is a data transfer.

The focus under the current Data Protection Directive and the GDPR ensures the free flow of data between EEA countries. However, the law restricts cross-border data transfers outside the EEA because there is a presumption that the law would not provide an adequate level of protection compared to EU law.

Data Transfers in Background Screening

Due to globalization, the workforce is becoming more international and mobile. More candidates are living, working or studying in other countries than their original country of residence. In Europe, the free movement of workers is enshrined in EU law and so it is common for applicants to have pan-European experience. In many regions, companies are hiring from a larger pool of applicants. Therefore, companies will make data transfers when conducting background screening on these international candidates.

There are different types of mechanisms that companies can utilize to permit data transfers for their background screening programmes:

  • Adequacy decision by European Commission for cross-border data transfers to certain countries, such as Canada or New Zealand. Or companies that have a Privacy Shield certification, which was designed by the U.S. Department of Commerce and the European Commission to assist companies in the EU with transferring data to companies in the U.S. through a mechanism that would meet data protection requirements and foster transatlantic commerce
  • Appropriate safeguards such as standard contractual clauses, approved code of conduct, approved certification mechanism, and Binding Corporate Rules (BCRs)
  • Derogations for specific situations such as explicit consent, necessary for the performance or conclusion of a contract and legal defence
  • Legitimate interest (for one-off transfers)

Cross-Border Data Transfers Under GDPR

Currently, companies are generally prohibited from transferring personal data outside the EEA to a third country that does not have an adequate level of data protection unless a mechanism which safeguards the data is in place.  There will be little change in the GDPR in cross-border data transfers from the current Data Protection Directive. For example, the GDPR continues recognizing adequacy decisions adopted by the Commission, but only for a maximum of 4 years, after which they may be amended, suspended or repealed.

The GDPR removes a lot of red tape from the contracting phase. GDPR cross-border provisions contain several transfer mechanisms that will no longer require notifying and/or obtaining an authorization from Data Protection Authorities (DPAs). The updates are expected to significantly reduce the administrative burden on companies in the contracting phase. This is the case for standard contractual clauses and DPA clauses. The existing model or standard contractual clauses under the Directive remains valid until amended, replaced or repealed, but there is no longer the need to obtain an authorisation from the relevant DPA to use this transfer mechanism. The DPA’s clauses allow DPAs to develop and offer clauses similar to standard contractual clauses. However, the European Commission will need to approve these to prevent companies from forum-shopping.

The GDPR provides improvements for multinational organisations using Binding Corporate Rules. The GDPR gives BCRs official recognition as a means of lawfully transferring personal data to companies within the same group located outside the European Economic Area. It provides clear provisions on requirements and procedures for BCRs which apply across the EU, such as specific guidance on the list of criteria that BCRs must cover. Compared to the Directive, the GDPR makes the BCR approval process subject to the GDPR’s consistency mechanism, whereby DPAs are required to co-operate with each other and, where relevant, with the European Commission. Lastly, it removes any obligation to obtain additional approval from DPAs for transfers of personal data based on BCRs.

The GDPR also introduces a new derogation for one-off transfers that cannot be made on the basis of any of the mechanisms outlined in the GDPR and if none of the other derogations apply. This is when the transfer is necessary for the purposes of compelling legitimate interests pursued by an organisation which are not overridden by the interests or rights and freedoms of the individual.

Tips for Cross-Border Data Transfers

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

With that in mind, Oran and Beatriz offered shared a few best practices for conducting cross-border data transfers relevant to a background screening program:

  • Consider whether the mechanisms that you currently use are appropriate under the GDPR
  • Ensure that the contractual framework is in place with your background screening provider (g., EU Standard Contractual Clauses)
  • Where transfers to the U.S. are necessary for your programme, make sure that your screening provider is certified under Privacy Shield
  • Make sure to explain data transfers to your candidates in the privacy notice and your background screening policy
  • Keep an eye on any new codes of conduct or certification schemes that could apply to your company

Sterling has been planning for the GDPR changes that will affect the background screening industry since 2016. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign-up for the Sterling GDPR 10-part webinar series. We are offering On-Demand webinars that tackle the many aspects of the GDPR, from privacy notices to candidate rights and how the changes will affect the background screening industry. Sign up today for our next webinar, “GDPR: Processing in the Employment Context (Article 88).”

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.