Transfer of personal data outside of the EEA: We may transfer certain personal data that we hold on individuals living to a country outside the UK or European Economic Area (“EEA“), provided that one of the following conditions applies:
- the country to which the personal data is transferred ensures an adequate level of protection for that individual’s rights and freedoms;
- an individual has given their explicit and informed consent having had the risks explained to them;
- the transfer is covered by one of the derogations set out in the GDPR, including the performance of a contract between us and that individual, or to protect the vital interests of individuals;
- the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; or
- the transfer is authorised by the relevant data protection authority where we have checked adequate safeguards exist with respect to the protection of the individual’s privacy, their fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements set out above, the personal data we hold may also be processed by individuals operating outside the UK or EEA who work for us or for one of our suppliers. Those individuals may be engaged in, among other things, the fulfilment of contracts with the relevant individual, the processing of payment details and the provision of support services.
Safeguards: If we use a third party data processor to process personal data on our behalf, we will obtain contractual commitments to safeguard the security of the personal data to ensure that the third party only acts on our instructions when using that personal data and that the third party has in place appropriate technical and organisational security measures to safeguard the personal data. Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it, for example:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO or, where applicable, the European Commission.
- Where we use service providers, we may use specific contracts approved by the ICO or, where applicable, the European Commission which give personal data the same protection it has in Europe.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside the UK or EEA.