2 min read

Writen by Adam

Posted on: January 15, 2021

Are you sharing data outside of the EU ? Read this

The rules relating to sharing data with any company outside the EU  have recently changed and the previously accepted standard contract clauses are no longer considered adequate. If you share data with any company outside the EU,  you need to ensure that you have completed a risk assessment as well as checking that your contract meets the standard clauses.

The EU Data Protection Board (EDPB) has issued ‘an FAQ’ on the invalidation of the Privacy Shield and the implications for Standard Contractual Clauses (SCCs). This guidance still applies to UK controllers and processors.

It is important to recognise that there is no grace period for companies to act and third-country transfers are currently illegal.

There is no guidance on how companies should ensure that data transferred is now safe and no information to help companies complete a risk assessment. So, until more guidance is provided, we are suggesting the following approach:

  1. List all third country transfers you currently have in place.
  • Document the data, nature of processing, and third-party details so you understand exactly what data is involved.
  • Ensure you have SCC’s in place with all third parties – in many cases these will be covered in the company’s terms and conditions.
  • Contact all third parties to ask for copies of any risk assessments they have completed. Don’t be too disappointed if you do not receive any as many companies are unaware.
  • Complete a Supplier Data Security Checklist for each company you share data with outside of the EU , focussing on the smaller companies. You can ignore Facebook, Google, Microsoft at this point
  • Review Facebook, Google, and Apple responses to this and keep a record of any updates.
  • Use this analysis to decide whether to stop transferring data to any company that fails your risk assessment.

This is a complex area, but we can help. We have produced a standard risk assessment template you can use and will keep you updated.

Recent blogs

Guidance for the use of personal data in political campaigning

Introduction It is vital in any democratic society that political parties and campaigners are ab

GDPR Regulations for CCTV , Photography and Video equipment and drones.

CCTV In general, CCTV is directed at viewing and/or recording the activities of individuals. The

Transferring personal data by USB device

USB devices offer a convenient way to transfer data between two computers. However, their small phy

Get Your Account Now

Setup in just 5 minutes. Enter your company details and choose the EU Representative services you need.

Give Us a Call

Not sure whether EU Representative applies to you or which option to choose? Call, email, chat to us anytime.


Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.