Data Transfers Within a Multinational Group - Safely Navigating EU Data Protection Rules

June 05, 2013

Multinational corporations increasingly have a need to share their data throughout their group. Often this will be necessary to service international clients or to coordinate marketing efforts. Sometimes international data sharing will be necessary simply to implement a cost-effective centralised IT function. However, to do so often results in the group having to navigate the data protection or privacy laws of those countries in which they operate. A prominent example of an issue that arises is the European data protection restriction on transferring personal data outside of Europe (specifically, outside the European Economic Area (EEA)).

This briefing introduces this issue and presents a summary of the solutions available to allow a transfer of data between group entities when some of the data crosses out of Europe. In particular, the following solutions are introduced:

  • Ensuring that the recipient company is in a country automatically deemed adequate;
  • Putting in place certain types of data transfer contracts;
  • Putting in place “binding corporate rules”; and
  • (In the UK) undertaking a “self-assessment” as to the protection of the data throughout the group.

Update, October 2015: A further method, the US "safe harbour" scheme was declared invalid by the Court of Justice of the European Union and is no longer available for use.

To keep reading, download the white paper.