GDPR Transfers of personal data outside EEA

GDPR Transfers of personal data outside EEA

Didn't find your answer?

I am looking to issue a privacy notice based on the CTA/ATT/ACCA/AAT template and am looking for suitable wording under the 'GDPR Transfers of personal data outside EEA' section.

We use Xero/Sage/Msoft Office 365/Inform Direct/TaxFiler/Autoentry & Receiptbank and my undertsanding is that at least some of these hold data outside of the EEA e.g. USA.

I've had a look at various accountants websites for wording who use similar cloud based services and wording ranges from 'data is not transferred outside of EEA' which seems incorrect to fairly generic statements along the lines of  'where this is the case we will take steps to make sure the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy'.

As a sole practitioner what steps can I take other than reading their GDPR policy and is this sufficient?

Can anyone suggest suitable wording?

 

Replies (1)

Please login or register to join the discussion.

a
By RichardPulseCyber
04th Jun 2018 10:34

Two elements to your question that need covering, hopefully this will be helpful. If you are transferring data to the US there is a chance that the processor there has signed up to the EU-US Privacy Shield. If so, they are covered under the GDPR. Check the list here to see if this is the case (and if not, suggest they do so - as it is a self-certification process and will benefit them as a service provider to EEA based organisations): https://www.privacyshield.gov/list

Second; my business and our clients benefit from the support of a third party processor, based outside the EEA. We cover this in our Privacy Notice, as follows:

"FibreCRM will, on occasion, need to transfer personally identifiable data outside the EEA, to third countries or international organisations. This is necessary due to the need to access appropriate CRM product expertise which not always available in the EEA, and is for the benefit of our clients and data subjects. FibreCRM closely monitors the findings and recommendations of the Article 29 Working Party, in relation to guidelines and recommendations on data transfers, binding corporate rules and contractual clauses."

Thanks (1)