We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;
- implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or
- (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme. For example, we use software services provided by the Google LLC, which is registered under the Privacy Shield scheme.
The only other time we’ll transfer data outside the EEA is if a derogation (i.e. an exception) under Data Protection Laws, and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.