Cifas Homepage
NewsroomCareersContact Us

International transfers of personal data

Before providing a service, or employing a new staff member, Cifas members can check details against our databases for matches with individuals whose behaviour appears to be consistent with that of known fraudulent conduct, or who are at greater risk of being a victim of fraudulent conduct. Some Cifas members use staff based outside of the UK to carry out those checks. This means that if a match is found, Cifas will be making what data protection law describes as a transfer of personal data to a “third country”.

Transfers of personal data from the UK to a third country are allowed where that country is considered “adequate” in data protection terms by the UK Government. Transfers are also allowed where “appropriate safeguards” have been put in place between Cifas and the member based outside of the UK, and in practice this means that Cifas and the member will sign a contract called “a set of controller to controller standard contractual clauses” with any additional measures being in place necessary to ensure personal data is protected to UK standards.

The Information Commissioner’s Office has a list of “adequate” countries and also has published the wording of the standard contract at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/.

Share:

Latest blog posts