We live in a global information economy where data knows no bounds. But, the law does – and there are legal rules about transferring data across international borders. Cross-border data transfers refer to moving personal data from one country to another across international borders. Data protection laws have rules governing cross-border data transfers. Let’s discuss how to achieve cross-border data transfers in compliance with the law.

How we can help you

  1. Determine where the data protection responsibility lies in your data processing relationships by asking us to perform an assessment.
  2. Lawfully transfer personal data from one country to another by asking Michalsons to:
    1. provide you with an opinion answering a particular question,
    2. draft binding corporate rules for your organisation,
    3. draft a binding agreement with a third party (like a processor or other controller) to provide an adequate level of protection,
    4. draft a bespoke data processing agreement for your organisation, 
    5. draft template clauses for you to include in your agreements with third parties who are in other countries, or
    6. draft consent clauses for you.
  3. Know which countries in the world (especially African countries) have a law that provides adequate protection by asking Michalsons.

Cross-border data transfers in compliance with the law

Data protection laws (such as the GDPR in the EU, DPA in the UK or POPIA in South Africa) generally agree that anyone processing personal data may only transfer it to someone outside of the country under certain circumstances. For example, where:

  • the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection;
  • the data subject consents to their personal data being transferred to a third party in a foreign country;
  • the transfer is necessary for the performance of a contract between the data subject and the controller;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
  • the transfer is for the benefit of the data subject, subject to certain restrictions.

A binding agreement often takes the form of a data processing agreement (DPA) between the parties and is one of the most common ways of achieving cross-border data transfers in compliance with the law. Other solutions, such as binding corporate rules (BCRs) are often deemed too unwieldy and demanding.

Why is it important?

  • You need to know the specific requirements in the countries you operate in and transfer data to. The laws in different countries vary and there are criminal and civil sanctions for violations.
  • By understanding the requirements, you can put measures in place to ensure the free flow of personal information to support your organisation.

We can help you determine the most suitable way to lawfully transfer data from one country to another.