Data Protection Policy

11. Transferring Data Outside the EEA


11.1 The GDPR requires that when organisations transfer personal data outside the European Economic Area (EEA), they take steps to ensure that the data is properly protected. We may transfer personal data outside the EEA in order to secure personal data in repositories with hosting services under GDPR-compliant data processing agreements and EU Model Contracts. This data may be accessed by designated IAP officers and staff, in compliance with this Data Protection Policy, and the IAP Appropriate Use Policy and security policies and procedures for the purposes of processing, for example, data on beneficiaries of funding.


11.2 The European Commission has determined that certain countries provide an adequate data protection regime. These countries currently include Andorra, Argentina, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay, but this list may be updated.


11.3 As such, personal data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing personal data with any other organisation. In transferring personal data to other countries outside the EEA (which are not on this approved list), the IAP will to enter into an EC-approved agreement, seek the explicit consent of the individual, or rely on one of the other derogations under the GDPR that apply to the transfer of personal data outside the EEA.


11.4 The EU-US Privacy Shield is an instrument that can be used as a legal basis for transferring personal data to organisations in the US, although specific advice should be sought from the data protection officer before transferring personal data to organisations in the US.


11.5 For more information, please contact the IAP Secretary