Procedure for International Transfers of PII
ISO/IEC 27701 Toolkit: Version 1 ©CertiKit
Procedure for International Transfers of PII
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This procedure sets out how the organization will meet, as a minimum, the requirements of applicable privacy legislation when transferring PII to third countries or to an international organization.
Areas of the standard addressed The following areas of the ISO27701 standard are addressed by this document: •
Annex A o A.7.5 PII sharing, transfer and disclosure ▪ A.7.5.1 Identify basis for PII transfer between jurisdictions ▪ A.7.5.2 Countries and international organizations to which PII can be transferred ▪ A.7.5.3 Records of transfer of PII
General guidance If you’re going to transfer PII outside of the jurisdiction to which it relates (for example, transferring the PII of EU citizens outside of the EU), there may be several hoops to jump through to ensure it stays legal. This will be affected by international politics and will change over time, so the important thing is to keep an eye on the website of the supervisory authority of the relevant country both for the list of acceptable countries and for helpful guidance on areas such as standard contractual clauses and binding corporate rules. Recent examples of significant changes include: 1. In July 2020, the EU US Privacy Shield was declared invalid by the Court of Justice of the European Union (CJEU) and so is no longer available to allow transfers of EU PII to the US. 2. From 1 Jan 2021 Brexit further complicates the picture for PII transfers to and from the UK. The Brexit treaty agreed between the EU and the UK at the end of 2020 allows for a six-month grace period for transfers to the UK, and an adequacy decision may (or may not) be made by the EU once this expires. Both of these examples will change over time, so it’s important to stay in touch with developments.
Version 1
Page 2 of 12
[Insert date]
Procedure for International Transfers of PII
Review frequency We would recommend that this document is reviewed at least annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
Version 1
Page 3 of 12
[Insert date]
Procedure for International Transfers of PII
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification]
Procedure for International Transfers of PII
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
PIMS-DOC-A75-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 12
DATE
[Insert date]
Procedure for International Transfers of PII [Insert classification]
Contents 1
Introduction ............................................................................................................... 8
2
Procedure for international transfers of PII ................................................................ 9 2.1
Determine the destination country or countries ........................................................... 9
2.2
Establish whether an adequacy decision applies ........................................................... 9
2.3
Implement appropriate safeguards .............................................................................. 9
2.3.1 2.3.2 2.3.3 2.3.4
Binding corporate rules ............................................................................................................. 10 Standard contractual clauses ..................................................................................................... 10 Codes of conduct ....................................................................................................................... 11 Certification schemes ................................................................................................................ 11
2.4
Other acceptable conditions for transfers of PII .......................................................... 11
2.5
Exceptional transfers ................................................................................................. 12
2.6
Putting the transfer in place ....................................................................................... 12
Version 1
Page 7 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification]
1 Introduction This procedure is intended to be used when putting in place a new arrangement for the transfer of PII between countries or to an international organization. It may also be used when validating whether existing arrangements meet the requirements of the applicable privacy legislation. An international organization may be variously defined in regulations, but for reference is defined by the EU GDPR as “an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (EU GDPR Article 4). The intention of privacy legislation within a country is to protect the PII of its citizens wherever it is held; there are often strict requirements governing where PII can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the legislation can be significant and care must be taken by [Organization Name] to ensure that we remain within the relevant law at all times. Privacy legislation is an involved subject that can vary significantly in different countries and care must be taken to identify the specific legislation that applies to each transfer of PII made by [Organization Name]. Rules such as adequacy decisions can also change over time, so it is important that regular updates are obtained, and their impact on transfer arrangements assessed. This procedure should be considered in conjunction with the following related documents: • • • • •
PII Controller-Processor Agreement Policy Privacy Impact Assessment Process Records Retention and Protection Policy Privacy and Data Protection Policy PII Principal Request Procedure
Version 1
Page 8 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification]
2 Procedure for international transfers of PII 2.1 Determine the destination country or countries In order to establish whether a transfer of PII is legal under the applicable legislation, the destination country or countries must be firmly established, along with any other countries that will receive an onward transfer of the PII as part of the arrangement. This may also involve reaching a clear understanding of the legal basis of any international organizations that will be receiving the PII, in particular the countries that are part of the agreement governing those organizations.
2.2 Establish whether an adequacy decision applies Once a clear understanding of the destination country or countries of the PII has been established, the list of countries and international organizations for which an adequacy decision applies must be consulted. This list is usually published on the website of the relevant authority of the country or countries involved, for example for the EU this is the Official Journal of the European Union and on the European Commission website (ec.europa.eu). [Note: currently the list of countries subject to an EU adequacy decision may be found at: http://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm and is as follows: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay …but this is subject to change. Note that the Brexit treaty agreed between the EU and the UK at the end of 2020 allows for a six-month grace period for transfers to the UK and an adequacy decision is generally thought to be likely] An adequacy decision means that the relevant country considers the level of protection for PII in the destination country to be acceptable and therefore transfers do not require any additional legal safeguards to be put in place. Adequacy decisions are regularly reviewed, (at least every four years in the case of the EU) and can be repealed if the relevant authority no longer considers that the country in question meets their requirements for protection of PII.
2.3 Implement appropriate safeguards If the country or one or more of the countries to which PII is to be transferred is not subject to an adequacy decision from the country to which the PII relates, appropriate safeguards
Version 1
Page 9 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification] may need to be put in place to provide for PII principals’ rights and enforceable legal remedies. There are several ways in which privacy legislation generally allows for these safeguards to be provided. These may include: 1. Between public authorities or bodies only, via a legally binding agreement which is capable of being enforced 2. Using binding corporate rules 3. Using standard data protection clauses adopted either by the relevant supervisory authority 4. Via an approved code of conduct 5. Via a certification scheme The status of some of the above safeguards may change over time, as privacy law becomes more mature and further guidance is issued both by the relevant governments and the individual supervisory authorities. The most appropriate method of providing protection for the rights of PII principals whose data will be transferred should be chosen and incorporated into the contractual clauses of the relevant agreement.
2.3.1 Binding corporate rules The supervisory authority that is relevant to the transfer may have the power to approve a set of binding corporate rules (BCRs) that may be used to cover the transfer of PII from a data protection viewpoint. These binding corporate rules are usually required to specify all aspects of the transfer, including how data protection will be provided, how PII principals will exercise their rights and how compliance will be verified. As an example, the full requirements for the EU GDPR are listed in Article 47 (“Binding corporate rules”) paragraph 2, points a) to n). The initial creation and approval (by the supervisory authority) of BCRs is a significant piece of work that must be approached with the full commitment of the senior management of [Organization Name] and may take a long time to achieve (more than twelve months is not uncommon). There may be an existing set of BCRs that may apply to the transfer being considered and advice should be sought from the legal department if it is intended to use this route to comply with the applicable privacy legislation regarding a data transfer.
2.3.2 Standard contractual clauses The relevant government and supervisory authority may create and maintain sets of model data protection clauses that are intended to be used in contracts that apply to the
Version 1
Page 10 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification] international transfer of PII. When used in their entirety, these clauses are generally accepted as meeting the requirements of the applicable legislation to provide adequate safeguards. To obtain the latest version of these clauses, refer to the website of the relevant supervisory authority or government department.
2.3.3 Codes of conduct Privacy legislation may provide for the drawing up of appropriate codes of conduct by organizations such as associations and industry bodies to address compliance with its requirements. Organizations then agree to abide by the code of conduct and their compliance is monitored by the relevant association. Such a code of conduct may be used to cover an international transfer of PII and whether [Organization Name] has already, or could, sign up to such a code, may be investigated as a possible route to provide appropriate safeguards.
2.3.4 Certification schemes Certification to an approved scheme may also be used to demonstrate that appropriate safeguards are in place to protect the transfer of PII internationally. This will apply to both the sender and recipient of the data and will require that an approved certification scheme be available in the country of the recipient.
2.4 Other acceptable conditions for transfers of PII If an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, a transfer of PII may in many cases only be made internationally if one of the following situations applies: 1. The PII principal explicitly consents to the transfer, having been informed of the risks 2. The transfer is necessary to meet contractual commitments to the PII principal or the PII principal asks for the transfer prior to contract 3. The transfer is in the PII principal’s interests with regard to a contract 4. It is for important reasons of public interest (recognised by law) 5. The transfer is to do with a legal claim 6. The PII principal’s vital interests are protected by the transfer or if they are unable to consent 7. The transfer is made from a public register
Version 1
Page 11 of 12
[Insert date]
Procedure for International Transfers of PII [Insert classification] The specifics of each of these conditions must be reviewed directly from the relevant legislation before basing a transfer on them.
2.5 Exceptional transfers If none of the conditions set out in this procedure apply, then an international transfer of PII may still be allowed to take place if conditions such as the following apply: 1. The transfer is not repetitive 2. A limited number of PII principals is involved 3. It is for compelling legitimate interests which are not overridden by those of the PII principal 4. All the circumstances of the data transfer have been assessed 5. Suitable safeguards are provided, based on the assessment 6. The assessment and the safeguards are documented 7. The supervisory authority is informed of the transfer 8. The PII principal is informed of the data transfer and the reasons for it 9. The PII principal is informed about his/her rights under privacy law For example, in the case of the EU GDPR, refer to Article 49 (“Derogations for specific situations”) paragraph 1 for the exact definitions of the above conditions.
2.6 Putting the transfer in place Once the legal basis of the transfer of PII has been established and approved, the mechanics of achieving the transfer should be addressed. These will vary according to factors such as the type and volume of data involved, the destination and the technology used. Care must be taken to ensure that the safeguards that have been agreed to as part of the setting up of the transfer are adhered to and that evidence of their use is maintained for future audit purposes. The website of the relevant government agency and supervisory authority should be monitored so that any changes that affect the legality or performance of the transfer are identified and acted upon.
Version 1
Page 12 of 12
[Insert date]