Information for staff > Data protection > Data protection guidance > Transferring information to other organisations > Exemptions to the prohibition of transfers of personal data outside the EEA

Exemptions to the prohibition of transfers of personal data outside the European Economic Area (EEA)

On this page:

• What is the purpose of this guidance?
• Legal context
• In what circumstances are transfers of personal data outside the European Economic Area (EEA) allowed?

In this section:

• Overview guidance on the issues to consider when transferring personal data to other organisations
• Guidance on the contractual requirements and the model contract clauses to use when transferring personal data to a:
  • Data processor in the EEA
  • Data controller in the EEA
  • Data processor outside the EEA
  • Data controller outside the EEA
• Countries in the EEA and on the approved list

If you have any comments about this guidance document, we would very much appreciate hearing them. Please contact us with your feedback.

• Feedback form

What is the purpose of this guidance?

This page explains in what circumstances transfers of personal data outside the EEA to countries not on the approved list is permitted without a written agreement.  It is relevant to any member of University staff considering sending information about living, identifiable individuals to another organisation or individual based overseas.  It is part of a set of guidance which deals with the transfer of information to other organisations.

• What is personal data?
• Countries in the EEA and on the approved list

Legal context

The eighth data protection principle of the Data Protection Act 1998 states that personal data must not be transferred to countries outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, or unless an exemption applies.

It is normally a requirement of the Data Protection Act that the University has in place a written agreement when it does transfer personal data to organisations outside the EEA and not on the approved list.  In certain circumstances however it is not a legal requirement to have an agreement in place when transferring information outside the EEA.  These circumstances are outlined below.

In what circumstances are transfers of personal data outside the European Economic Area (EEA) allowed?

There are exemptions to the prohibition on transfers of personal data outside the EEA.  These are most likely to occur when information is transferred to another data controller. When transferring data to a data processor the University should usually have a written agreement in place, regardless of where the transfer is taking place.

• What is a data controller?
• What is a data processor?

The exemptions include the following circumstances:

1. The country is on the approved list, and the organisation meets all the qualifications to that approval

• List of approved countries

2. The data subject has given their consent to the transfer. In most cases this would entail a person actually indicating that they agreed to the transfer, rather than that they failed to object when told about it. For example, a student in India asks the University to confirm their degree to an Indian employer.

• What is a data subject?

3. The transfer is necessary for the performance of a contract between the data subject and the University, or for the taking of steps at the request of the data subject with a view to her entering into a contract with the University. For example, sending a degree certificate for a Chinese student to their home address in China.
4. The transfer is necessary for the conclusion or performance of a contract between the University and another organisation, where the contract has been entered into at the request of the data subject or is in their interests. For example, visiting students who study for a short time at the University, but whose grades need to be reported to a university overseas so that they can obtain their degree, or students who receive funding from overseas funding bodies that require evidence of satisfactory performance.
5. The transfer is necessary for reasons of substantial public interest required by or under an enactment. For example, the investigation of a serious crime would be considered a necessary reason to transfer personal data outside the EEA.
6. The transfer is necessary to exercise, establish or defend legal rights, including for the purposes of obtaining legal advice or in connection with prospective or actual legal proceedings.  For example, if the University is asked to give evidence in a case involving a fraudulent claim to a qualification.
7. The transfer is necessary to protect the vital interests (i.e. life and death concerns) of the data subject. For example, it would be acceptable to transfer medical records overseas for the purposes of emergency treatment under this exemption.

Please note that the test of necessity identified in many of these exemptions is a high test – the transfer should not merely be convenient or desirable.

If the transfer of personal data does qualify for one of these exemptions, it is unlikely that an agreement will be required, but you may choose to use the optional data controller to data controller EEA contract clauses.

• Model contract clause for transfer to a data controller in the EEA or one of the approved countries

It is unlikely that these exemptions will apply to most transfers of personal data to overseas organisations conducted by the University, so when an overseas transfer takes place there will usually be a requirement to have a formal written agreement to ensure that adequate protection is afforded to the personal data being transferred.

Page last updated: Wednesday November 03 2010