Eighth Principle - transfer of data abroad
"Personal data shall not be transferred to a country or territory outside the Island unless it provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
Technical guidance on making overseas transfers of personal data in accordance with the Eighth Data Protection Principle is at the bottom of this page.
What the Law Says
If transfers are made to countries within the European Economic Area (EEA), they shall be presumed to have an adequate level of protection (See below for information on "adequacy").
For 'other' countries and territories, there are a list of factors which are to be considered in determining 'adequacy':
- the nature of personal data
- the country or territory of origin of the information contained in the data
- the country or territory of final destination of that data
- the purposes for which the data are to be processed
- the law, international obligations, codes of conduct or others rules in force in the country or territory in question
- any security measures taken in respect of the data in that country or territory.
Schedule 4 of the Act does, however, provide for circumstances in which this principle does not apply.
Cases where the Eighth Principle does not apply
1. The data subject has given his consent to the transfer.
2. The transfer is necessary —
(a) for the performance of a contract between the data subject and the data controller, or
(b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.
3. The transfer is necessary —
(a) for the conclusion of a contract between the data controller and a person other than the data subject which
— (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject, or (b) for the performance of such a contract.
4. (1) The transfer is necessary for reasons of substantial public interest.
(2) The Council of Ministers may by order specify —
(a) circumstances in which a transfer is to be taken for the purposes of subparagraph (1) to be necessary for reasons of substantial public interest, and
(b) circumstances in which a transfer which is not required by or under a statutory provision is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.
5. The transfer —
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
6. The transfer is necessary in order to protect the vital interests of the data subject.
7. The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.
8. The transfer is made on terms which are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
9. The transfer has been authorised by the Information Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
The European Union has approved model contracts for the transfer of personal data to data controllers and processors in countries outside the EEA which do not have an adequacy decision from the Commission. In addition, for multi-national companies the Commission has approved transfers where that company has adopted binding corporate rules approved by an EU Data Protection Authority. The International Chamber of Trade also has approved model contracts which may be used. For further information please contact the office.
The European Commission has made adequacy decisions for a number of countries including the Isle of Man. For a full list of the adequacy decisions please click here.
However, although a third country's law may be deemed to be "adequate", following the ruling in Schrems, controllers transferring personal data to an "adequate" jurisdiction must also consider whether the protection provided is adequate in relation to the particular transfer.
- Further guidance on the eighth data protection principle
- Transfers of personal data to third countries - EU Council FAQ's
- Outsourcing the processing of personal data
- Handbook on European data protection law
- EU Data Controller to Data Controller Clauses
- EU data controller to data processor in third countries model clauses
- New EU standard contractual clauses introduced - press release
- ICC Data Controller to Data Controller Contract Clauses
- Safe Harbor EU Communication Nov 2015
- EU Court of Justice Safe Harbor Ruling 2015
- Safe Harbor & IOM Adequacy Review Nov. 2015