GDPR puts a variety of obligations on businesses. Due to the far-reaching penalties arising under data protection law, it is important for business-owners to recognise where a need for action is triggered. One area that causes confusion or may be overlooked is the requirement for a data transfer agreement (DTA). A business may need a DTA in the following situations:
- Transfers Across Borders: A DTA is likely to be required where personal data is being moved from Ireland to a country outside of the European Union. This includes the transfer of client data and employee data
- Using Third Party Service Providers: If personal data is to be shared with or processed by a service provider, a DTA is required. This will include the use of cloud storage, data storage, HR systems and any outsourcing involving personal data.
- Entering a Sub-Contract or Outsourcing Arrangement: When engaging other organisations to complete tasks involving personal data, a DTA will be necessary.
- Entering a Data Sharing Agreement: When sharing personal data with other organisations such as research projects or marketing at DTA will be required.
- Entering Partnerships and Joint Ventures: If personal data is to be shared or disclosed in a new business relationship, a DTA will be needed.
- Entering a Business Merger, Acquisition or Change in Ownership: If personal data forms part of the assets to be transferred, a DTA is required. If personal data is to be disclosed during the due diligence process a DTA is also required.
The above is intended for information purposes only. It is not legal advice. If you would like to discuss developing a DTA for your business or any aspect of compliance, please contact Fitzsimons Redmond LLP on 01-6763257 or by email at law@fitzsimonsredmond.ie.
By Lisa Quinn O’Flaherty
Partner at Fitzsimons Redmond LLP