Feb 28, 2024
KEY TAKEAWAYS:
This briefing deals with the transfer of personal data outside the Bailiwick of Guernsey pursuant to the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL"). A "data transfer" occurs when an individual's personal data is sent outside of the Bailiwick of Guernsey. International data transfer is a complex field of data protection and this briefing will only provide a brief overview of the key elements.
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are, and the rights of data subjects is available here.
Whether an international data transfer is permitted under the DPL depends on whether the international data transfer is to a Member statement of the European Union (the "EU"), to a member of the European Economic Area ("EEA"), an adequate jurisdiction or when the transfer is being made on the basis of available safeguards or is authorised by the Office of the Data Protection Authority ("ODPA").
Like Guernsey, there are several jurisdictions which have a European Commission "adequacy" decision. An "adequacy" decision from the European Commission (the "EC") is a green light for all transfers of data between any adequate jurisdiction and the EEA, as well as to/from the other adequate jurisdictions outside the EEA, known as "third countries". Jurisdictions that the EC deems "adequate" are considered to have a rigorous data protection regime in place that is broadly equivalent to that in the EU. Where a transfer is to an "adequate" jurisdiction, a controller can freely transfer data to and/or from that jurisdiction with no additional legal requirements arising and without having to implement any additional measures.
The European Commission has so far recognised the following jurisdictions as providing adequate protection:
There are several large jurisdictions (e.g. China) that do not provide the legal protections for personal data in the same way as the EEA and third countries do ("Unauthorised Jurisdictions").
A controller or processor may transfer personal data to a person in an "Unauthorised Jurisdiction" where the controller or processor is satisfied that one or more certain safeguards are in place in relation to the personal data, and there is a mechanism for data subjects to enforce their data subject rights and obtain effective legal remedies against the further controller or processor. The safeguards include:
Of the safeguards mentioned, standard data protection clauses appears to be the most common safeguard adopted / implemented by controllers when carrying out an international data transfer.
Standard data protection clauses, also known as standard contractual clauses ("SCCs") or model clauses, contain contractual obligations on the data exporter (based in Guernsey) and the data importer (based in an Unauthorised Jurisdiction) and give rights to the individuals whose personal data is to be transferred. These clauses are approved by the EC, available on their website, and recognised by the ODPA for transfer purposes.
In June 2021, the EC published a new set of SCCs for international data transfers. The first set of SCCs governs international data transfers (standard contractual clauses for international transfers). The second set of SCCs governs data processing agreements between controllers and processors (standard contractual clauses for controllers and processors in the EU/EEA).
Any Guernsey business engaging in new transfers will need to utilise the new EC SCCs. The ODPA recognises the new SCCs as an appropriate transfer mechanism for transfers from Guernsey to Unauthorised Jurisdictions.
In November 2022, the ODPA published the "Bailiwick of Guernsey Addendum for the EU Commission's Standard Contractual Clauses (SCCs)" (the "Guernsey Addendum"). The Guernsey Addendum is a legal document controllers can make restricted amendments to in order to protect people’s data by using it in conjunction with the EC SCCs. In the event of a conflict or inconsistency between the Guernsey Addendum and the provisions of the EC SCCs it is intended that the provisions which provide the most protection to data subjects shall prevail.
In September 2024, the EC announced its intention to adopt new SCCs applicable to the specific case where a data importer is located in a third country but is directly subject to the GDPR. The new SCCs will complement the existing SCCs, for data transfers to third country importers not subject to the GDPR.
Transfer impact assessments
When a controller is seeking to rely on an available safeguard the DPL (and the ODPA) requires that the controller carry out a "transfer impact assessment" ("TIA"). A TIA assists a controller in making sure that the actual protection provided by the available safeguard is sufficiently similar to the principles of the DPL to provide data subjects of the transferred data with a level of protection essentially equivalent to that under the DPL.
The ODPA expects controller to carry out a TIP by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data).
Walkers’ Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.
We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.
This article was updated on 28 November 2024.
Key Contacts
