We guide organisations on the lawful transfer of personal data, including for intra-group transfers or outsourcing arrangements. With the GDPR continuing to restrict the transfer of personal data outside of the EEA, we advise clients on the various international transfer mechanisms available to them to ensure the lawful transfer of data.
We work with organisations to map out their international data flows, based on a review of processing activities. We then advise them on which solutions best fit the proposed international transfers, including:
- EU Standard Contractual Clauses
- Binding Corporate Rules
- EU-US Privacy Shield
- approved Codes of Conduct or certification mechanisms (when they come on stream)
We can also implement the appropriate solutions for organisations, such as drafting relevant transfer agreements.
Data transfer during outsourcing
Aside from international transfers, organisations need to ensure – when they are planning to outsource a service that involves personal data – that they pay particular attention when selecting and managing their service provider. Robust due diligence should be undertaken prior to the award of a contract; with particular attention paid to organisational and technical security measures implemented by the applicant. Also, any supply contract with a provider should have certain contractual provisions on data protection, including on liability, audits and security breach reporting.
We work with organisations to develop internal programmes that enable management of providers, including the implementation of pre-selection questionnaires, scoping out minimum security requirements and regular provider audits.