International data transfers – what you need to know before transferring personal data overseas

If you are a UK based tour operator or travel business operating internationally the chances are that you send personal data overseas. In this article we consider what you need to know when doing this.

What is personal data?

Personal data is any information relating to an identified or identifiable person. In terms of your tourism business you are likely to collect your customers’ personal data including names, addresses, dates of birth, passport details, special requests including special dietary information and potentially information relating to a medical issue or disability.

What can we do with personal data?

Personal data is protected by the UK General Data Protection Regulation (which is otherwise known as UK GDPR) and the UK Data Protection Act 2018, these data protection laws dictate what you can do with personal data.  You should also be aware that the EU General Data Protection Regulation (EU GDPR) may also apply depending on where and how you are collecting personal data.

Anything you do with personal data including collecting, storing, using, disclosing to third parties and erasing personal data is known as “processing”.

It is likely that if you decide the data to be collected and what happens to it you will be a data “controller” for the purposes of data protection laws. This will be the case for most tour operators and principals to travel arrangements.

As a data controller you are responsible for ensuring that what happens to the data complies with data protection laws.  This includes (amongst other things):

• implementing appropriate technical and organisational measures to ensure the security of personal data;
• only using processors who will ensure that their processing meets the requirements of data protection laws;
• entering into contracts with processors which must cover specific points;
• ensuring you meet your accountability obligations such as keeping records; and
• ensuring you meet requirements on international transfers.

It is important that you have a data privacy policy and that it explains what personal data you collect, what you do with it, on what basis you do this, as well as explaining retention periods and individual rights.

Can we send personal data overseas?

In order to confirm a booking with an overseas supplier you are likely to need to send personal data overseas. Overseas suppliers are likely to require this personal data in order to be able to provide their services.

Sending data overseas is a restricted transfer.  You can make a restricted transfer where:

• There is an adequacy decision in place; or
• An exception applies. An occasional transfer for a limited purpose where consent is given would be such an exception; or
• You have additional safeguards in place.

What is an adequacy decision?

This means that the country to which personal data is to be transferred is one which the UK government has decided provides an adequate level of data protection. If this is the case additional safeguards are not required and you go can ahead and transfer the personal data.

All EU countries fall into this category as do Iceland, Norway, Liechtenstein, Gibraltar, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. There are also partial findings in place for Japan, Canada and South Korea.

Can I rely on an exception?

Where the transfer is only occasional, you have a contract with the person (or the person benefits from the contract) and it is necessary to transfer the data to fulfil the contract you can do this without the additional safeguards (see below). You cannot rely on this where you routinely transfer data to another company. So for an occasional booking it is fine, for a supplier you use regularly you would need to have in place additional safeguards.

Where you are obliged to provide the personal data to a government / public authority in order to provide a booking this would also be an exception.

A further relevant exception is where you need to make a transfer to establish if you or someone else has a legal claim or defence, or to make or defend a legal claim.

How do I put in place additional safeguards?

Additional safeguards are most commonly used in the form of standard contractual clauses (SCC) (now to be used with the UK addendum where the UK GDPR applies) or an international data transfer agreement (IDTA).

In basic terms, the implementation of SCC or an IDTA, puts in place measures that mean that your suppliers are required to only deal with the personal data in accordance with your instructions and ensures that they maintain appropriate security to protect the data.

Prior to transferring any personal data you will need to conduct a risk assessment focussing on the law and practice of the country where you wish to export the data. Guidance on completing such a risk assessment can be found here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/transfer-risk-assessments/

Multinational companies making international transfers subject to the EU GDPR (if you are collecting data in the EU) and the UK GPDR (if you are also collecting data in the UK) should consider using the EU’s SCC and the UK addendum.

If you only collect data in the UK you can use the IDTA.

What next?

1. Make sure that you have a data privacy policy which explains accurately what you do with personal data.
2. Review your data processing procedures and work out where you might be making restricted transfers.
3. Consider whether the data transfer is to a country with an adequacy decision or whether an exception applies.
4. Where there is no adequacy decision or exception applicable complete a risk assessment and ensure additional safeguards are put in place.
5. If you already have in place additional safeguards and you are currently relying on the old SCC for the EU, they continue to be valid for transfers until 21 March 2024 (provided the processing remains unchanged and you assess that the old SCC’s continue to provide appropriate safeguards). Prior to 21 March 2024 you will need to consider whether to move onto the EU SCC with a UK addendum or an IDTA.

*****

If you have any queries about anything in this article please contact Claire Ingleby (claire.ingleby@mb-law.co.uk).

Please note this information is for general guidance only and is not intended to be a substitute for specific legal advice.