2 min read

Writen by Adam

Posted on: January 15, 2021

Are you sharing data outside of the EU ? Read this

The rules relating to sharing data with any company outside the EU  have recently changed and the previously accepted standard contract clauses are no longer considered adequate. If you share data with any company outside the EU,  you need to ensure that you have completed a risk assessment as well as checking that your contract meets the standard clauses.

The EU Data Protection Board (EDPB) has issued ‘an FAQ’ on the invalidation of the Privacy Shield and the implications for Standard Contractual Clauses (SCCs). This guidance still applies to UK controllers and processors.

It is important to recognise that there is no grace period for companies to act and third-country transfers are currently illegal.

There is no guidance on how companies should ensure that data transferred is now safe and no information to help companies complete a risk assessment. So, until more guidance is provided, we are suggesting the following approach:

  1. List all third country transfers you currently have in place.
  • Document the data, nature of processing, and third-party details so you understand exactly what data is involved.
  • Ensure you have SCC’s in place with all third parties – in many cases these will be covered in the company’s terms and conditions.
  • Contact all third parties to ask for copies of any risk assessments they have completed. Don’t be too disappointed if you do not receive any as many companies are unaware.
  • Complete a Supplier Data Security Checklist for each company you share data with outside of the EU , focussing on the smaller companies. You can ignore Facebook, Google, Microsoft at this point
  • Review Facebook, Google, and Apple responses to this and keep a record of any updates.
  • Use this analysis to decide whether to stop transferring data to any company that fails your risk assessment.

This is a complex area, but we can help. We have produced a standard risk assessment template you can use and will keep you updated.

Recent blogs

EU representatives – your FAQ’s answered

Here at GDPRlocal, we get lots of questions about what exactly an EU  Representative is, what

Ico examines public confidence in data protection

The ICO recently released the results of a survey they created as part of their strategic plan to e

The biggest GDPR fines of 2020 (and how to avoid them)

Breaching the GDPR can cost you up to €20 million, or 4% of annual global turnover, whichever is

Get Your Account Now

Setup in just 5 minutes. Enter your company details and choose the EU Representative services you need.

Give Us a Call

Not sure whether EU Representative applies to you or which option to choose? Call, email, chat to us anytime.


Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.