GDPR Cross Border Personal Data Transfer Procedure Template

Introduction

The GDPR procedure pertaining to transferring the personal data of the data subjects applies to all organizations who are operating within the EEA, thus enabling the transfer of personal data between organizations operating inside of the EEA borders. In case any of these organizations intend on transferring any of their data subjects’ personal data to an organization outside of the EEA, it will need to go through several steps that aim at ensuring that the personal data of their end-users remains private and that their rights are adhered to. This procedure outlines the required steps of such a transfer. This procedure applies if the receiving organization or any of its subsidiaries are outside of the EEA borders.

Scope and Purpose

The procedure collates the five steps, and all the information which is required for complying with the GDPR limitations in this issue. The transfer of personal details is also known as cross-border transfer, and it requires special attention. Assessing the risks involved with the transfer of the data is achieved by using a matrix which includes the type of data which is being transferred, its destination and the receiving organizations’ reputation for keeping data private.

The required steps for ensuring end-user privacy are as follows -

1. Personal data identification: This step includes data such as names, addresses, email addresses, and any other information that can be used to identify an end-user.

2. Determine the legal basis for the transfer: Any transfer of data requires a legal basis. This may include but is not limited to -

a. Obtaining explicit consent from the individual.

b. Entering standard contractual clauses with the recipient of the data.

c. Relying on other legal mechanisms, such as binding corporate rules or an adequacy decision by the European Commission.

3. Risk assessment: Recognizing potential risks associated with the transfer of personal data outside the EEA. These risks need to consider the nature of the data being transferred, the recipient of the data, and the country to which the data is being transferred to.

4. Implement appropriate safeguards: Encryption of the personal data, pseudonymization and contractual clauses, which ensure that the recipient of the data complies with requirements.

5. Monitor and review: Continuous evaluation of the transfers to ascertain that the personal data is kept safe and adheres to the statutes.

Required Fields in the Procedure

The procedure should include the following fields -

1. Personal data attributes that are being transferred.

2. The legal basis for transferring the data.

3. Risk matrix.

4. Checks and balances for safeguarding personal data.

5. Follow-up processes.

The Obligations of the Data Controller

1. Complying with the obligatory statutes of this topic.

2. Evolving of the procedure to increase the safety of personal data.

3. Recognizing the risks, following up on them and their mitigation.

4. Putting safeguards into place, such as encryptions, watermarks for the files which include the name of the organization and its logo, Allowing access to the personal data only to a select group of individuals, etc.

5. Scheduling periodical forums with the goal of assessing the known risks and recognizing new ones.

6. Meet with the local GDPR authority representative to receive assessments of the risks associated with countries outside of the EEA.

7. Notify the data subjects of the intent to share their personal data with entities outside of the EEA.

8. Keep thorough records of the transfers.

Term Definitions

What is a Data Controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.

What is personal data?

Any type of unique data which relates to an individual data subject. This can include such information as: Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.

What is a data subject (also known as an end-user)?

Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.

What is the EEA?

The European Economic Area.

Key Takeaways / Conclusions

1. The goal of the procedure is to ensure that all the organizations that handle any personal data of the data subjects fully comply with the GDPR requirements, regardless of their physical location.

2. The data controller is responsible for ensuring that all the organizations which have access to the personal data, treat it as confidential and comply with the GDPR statutes on the subject.

3. Each transfer may be reviewed in an internal or external audit. Hence, the records of such transfer must be readily available.

4. The data controller should make sure that the receiving organization has a designated point of contact for all queries related to the GDPR statutes.