We are part of a global association of accountants and in common with other professional service providers, we sometimes use organisations located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our customers are located.
We will neither transfer nor process personal data outside the country in which a customer has contracted, nor will we permit personal data to be so transferred or processed by a third party, unless it is under one of the following conditions:
- the territory into which the data are being transferred has an adequacy decision issued by the European Commission (under EU GDPR) or an adequacy regulation made under DPA2018 section 17A by the Secretary of State (under UK GDPR);
- the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission (under EU GDPR) or the Secretary of State (under UK GDPR);
- the transfer is made under the provision of binding corporate rules which have been approved and certified by the European Commission (under EU GDPR) or the Information Commissioner (under UK GDPR);
- the transfer is made in accordance with one of the exemptions set out in GDPR Article 49.
The demise of Privacy Shield and European Data Protection Board (EDPB)
Some of our service providers (processors) are ultimately US-owned, but our contracts are with their UK or EU entities, subject to UK GDPR and EU GDPR legislation respectively. We have risk-assessed our continued usage of such US-owned service providers in compliance with the above-mentioned EDPB guidance. We continually keep under review the requirements which are imposed by applicable legislation.