29th January 2019
International transfers under the General Data Protection Regulation
(First published in Travel Law Today – Autumn 2018)
For the majority of companies in the travel industry, being able to transfer personal data across the globe is critical. For example, a London-based tour operator booking a tour across Asia for a customer will need to share that customer’s personal data with numerous hotels, car rental and other tour operators outside the EU and the European Economic Area (EEA). Other, less obvious, examples are where a company has offices, or uses service providers, located overseas.
Where personal data is being transferred outside the EEA it must be given the same protection as that afforded by EU data protection legislation. The General Data Protection Regulation (GDPR), which came into force in May 2018, reinforces the position under the old Data Protection Directive, with some subtle differences that businesses in the travel sector should be alive to.
Are you making a restricted transfer?
The first step is to identify whether you are making a restricted transfer. This will be the case if:
- the processing of the personal data you are transferring is caught by the GDPR. For instance, if you are located in the EEA, or are processing personal data about individuals in the EEA; and
- you are transferring personal data to an organisation or individual to which the GDPR does not apply (usually because they are located outside the EEA). The receiver could be another company within the same group or a third party, but transfers to employees within the same company are not restricted.
Where personal data is transferred between two EEA countries via a non-EEA country (and there is no intention the data will be accessed or manipulated while it is outside the EEA) there is no restricted transfer.
However, ICO guidance states that putting personal data on to a website will often result in a restricted transfer when someone outside the EEA accesses that personal data (even if the data is uploaded to that website in the EU).
Will the personal data be adequately protected?
Where a restricted transfer is taking place, personal data must be guaranteed the same level of protection as provided by the GDPR. The European Commission has designated a number of non-EEA countries as ensuring adequate protection, and has made partial findings of adequacy for Canada and the USA. It is likely the UK will need to obtain an ‘adequacy decision’ post-Brexit.
If the destination non-EEA country has not obtained an adequacy decision, businesses may still proceed with the restricted transfer if they ensure “appropriate safeguards”. These include:
- Standard data protection clauses in contracts that involve restricted transfers (‘model clauses’).
A number of model clauses were adopted by the Commission under the old Data Protection Directive, and these are currently being updated. In the meantime, the ICO has said businesses can continue to use pre-GDPR model clauses in their contracts (and, happily, no amendments will be required once the Commission has adopted the revised model clauses). Supervisory authorities (eg the ICO) are also able to adopt model clauses, once approved by the Commission, but none have yet done so.
Model clauses must be used in their entirety and without amendment, although additional clauses on business-related issues can be included (provided they do not contradict the model clauses). Transfers based on model clauses no longer have to be notified to, or approved by, national data protection authorities (as they did under the old Directive).
- Binding Corporate Rules (BCRs).
Where restricted transfers of personal data are made within a multinational group (including a corporate group, franchises or joint ventures), members can be required to sign up to BCRs. These are rules that govern restricted transfers between a group’s EEA and non-EEA entities.
BCRs must be submitted for approval by an EU supervisory authority in an EEA country where one of the companies is based. The European Data Protection Board guidance contains information, including application forms, for organisations wishing to use BCRs.
- Signing up to approved codes of conduct, or accreditation with approved certification schemes.
These safeguards are not currently available, but once they have been adopted, they could be very useful in certain regulated sectors like the travel industry.
Do any exceptions apply?
If the restricted transfer is not covered by appropriate safeguards, it will only be permitted where one of seven exceptions apply. The most relevant exceptions to the travel sector are likely to be:
- the data subject has explicitly consented to the transfer; or
- the transfer is necessary for the performance of a contract between the data subject and the controller. This exception only applies to occasional restricted transfers that are necessary to perform the core purpose of the contract. For example, a UK travel company offering bespoke travel arrangements may rely on this exception to send personal data to a hotel in Costa Rica, provided it does not regularly arrange for its clients to stay at that hotel (in which case it should use an appropriate safeguard, such as model clauses).
So what now?
In summary, the position regarding the transfer of personal data outside the EEA remains largely unchanged under the GDPR. However, the procedure for using model clauses has been simplified, and organisations in the travel industry may in the future be able to rely on sector-specific codes of conduct, certification mechanisms or adequacy decisions.
Awareness of the rules surrounding restricted transfers will be critical for travel companies transferring personal data to and from the UK once the UK is no longer part of the EEA.
Don’t forget that if you are making a restricted transfer, you must also ensure you comply with the other provisions of the GDPR, including:
- employing the enhanced security measures required by the GDPR (particularly in relation to special category data); and
- putting the mandatory contractual arrangements in place with any third party who will be processing this