International Data Transfers

Overview

International data transfers refer to the transfer of personal data from the UK or EEA to countries outside these regions. Such transfers require appropriate safeguards under UK GDPR and EU GDPR.

Our Approach

Bugni Labs minimises international data transfers. Where transfers are necessary, we implement appropriate safeguards as required by law and assess risks associated with each transfer.

Transfer Mechanisms

We use the following lawful mechanisms for international transfers:

1. Adequacy Decisions

Transfers to countries with adequacy decisions from the UK or EU (e.g., EU member states for UK transfers, certain approved countries) do not require additional safeguards.

2. Standard Contractual Clauses (SCCs)

We use UK/EU-approved Standard Contractual Clauses for transfers to countries without adequacy decisions. SCCs are contractual commitments between data exporters and importers providing appropriate safeguards.

3. Binding Corporate Rules (BCRs)

For intra-group transfers (if applicable), we may implement Binding Corporate Rules approved by supervisory authorities.

4. Derogations

In limited circumstances, we may rely on specific derogations such as explicit consent or necessity for contract performance. These are used sparingly and documented.

Risk Assessment

Before implementing international transfers, we assess:

  • Legal framework in the destination country
  • Access rights of government authorities
  • Security and privacy protections
  • Data subject rights in the destination country
  • Onward transfer risks

Where risks are identified, supplementary measures are implemented (e.g., encryption, pseudonymisation, contractual restrictions).

Common Transfer Scenarios

Cloud Service Providers

We select cloud providers with EU/UK data centres. Where providers have global operations, we ensure SCCs are in place and assess risks related to US CLOUD Act or similar legislation.

SaaS Tools

Third-party SaaS tools may process data outside UK/EEA. We conduct vendor assessments, implement SCCs, and minimise data transferred to such tools.

Support and Development

If support or development activities involve international teams, we implement technical and organisational measures including encryption, access controls, and contractual safeguards.

Transparency

We provide transparency on data transfers through:

  • Privacy notices disclosing transfer locations and safeguards
  • Sub-processor lists with locations
  • Data flow documentation
  • Client notifications of material changes

UK-EU Transfers Post-Brexit

Following Brexit, the UK is treated as a third country by the EU (though the EU recognises the UK as adequate). We implement UK and EU SCCs as appropriate to ensure compliance with both regimes.

US Data Transfers

For transfers to the United States, we implement SCCs and conduct transfer impact assessments. We monitor developments related to EU-US Data Privacy Framework and UK-US data bridge.

Client Controls

Clients can specify restrictions on international transfers in contracts. We accommodate requirements such as EU/UK-only processing or specific country restrictions where feasible.

Monitoring and Review

We regularly review international transfers, monitor legal developments, and update safeguards as needed. Transfer impact assessments are updated when circumstances change.

Contact

Data transfer enquiries: dpo@bugni.io

For data residency information: See Data Residency