Transfer of Personal Information to an
Overseas Third Party
In a seashell
​
-
PIPA applies to organisations in Bermuda.
-
People risk losing the protection of Bermuda’s data protection laws if their personal information is transferred outside of Bermuda.
-
On that basis, PIPA contains rules about transfers of personal information to overseas third parties located outside of Bermuda. People’s rights regarding their personal information must be protected or one of a limited number of exceptions must apply. For more information, see our Guidance on vendors, third parties, and overseas data transfers.
Section 15, Transfer of personal information to an overseas third party, states that:
​
(1) When an organisation transfers to an overseas third party personal information for use
by that overseas third party on behalf of the organisation, or for the overseas third party’s own business purposes, the organisation remains responsible for compliance with this Act in relation to that personal information.
​
(2) Before making any such transfer, the organisation shall assess the level of protection provided by the overseas third party for that personal information.
​
(3) When assessing the level of protection in subsection (2), an organisation shall consider the level of protection afforded by the law applicable to such overseas third party and the Minister, on the recommendation of the Commissioner, may designate any jurisdiction as providing a comparable level of protection for the purposes of this section.
​
(4) If the organisation reasonably believes that the protection provided by the overseas
third party is comparable to the level of protection required by this Act, which may be evidenced by the third party’s adoption of a certification mechanism recognised by the Commissioner, the organisation may rely on such comparable level of protection while the personal information is being used by the overseas third party.
​
(5) Where subsection (4) is not satisfied, the organisation shall employ contractual mechanisms, corporate codes of conduct including binding corporate rules, or other means to ensure that the overseas third party provides a comparable level of protection.
​
(6) Notwithstanding subsections (1) to (5), an organisation may transfer personal information to an overseas third party for use by that overseas third party on behalf of the organisation or for the overseas third party’s own business purposes, if—.
(a) the transfer of the personal information is necessary for the establishment, exercise or defence of legal rights; or
(b) the organisation assesses all the circumstances surrounding the transfer of personal information to the overseas third party and reasonably considers the transfer of personal information is—
(i) small-scale;
(ii) occasional; and
(iii) unlikely to prejudice the rights of an individual.
​
​
​
Scenario
A Bermuda-based company uses a centralised human resources service in the US provided by its US parent company. The Bermuda company passes information about its employees to its US parent company in connection with the HR service. This is a transfer of personal information to an overseas third party.
​
Organisations ask
Do we need to make a transfer of personal information to an overseas third party?
Before making a transfer of personal information to an overseas third party, you should consider whether you can achieve your aims without actually sending personal information.
If you anonymise the information so that it is never possible to identify individuals, it is not personal information. If this is the case, the restrictions do not apply and you are free to transfer the anonymised information outside of Bermuda.
For fairness, you should tell people:
​
-
the identity of the overseas third party;
-
the country or countries to which the personal information is to be transferred;
-
why you need to make the transfer;
-
the type of information to be transferred;
-
that they are able to withdraw consent if applicable; and
-
importantly, the possible risks involved in making a transfer to a country which does not provide a comparable level of protection for personal information and without any other protection measures in place.
The questions below will help you decide whether the transfer is necessary and proportionate.
What are the specific circumstances of the transfer?
​
It is important that the first thing you do is map out the data flows and record the specific circumstances of the transfer of personal information to an overseas third party, including details of any protection that is in place for the information. You need this information in order to answer the questions below.
Consider and document the following (to the extent not already documented as part of a separate transfer risk assessment):
​
-
Is there a section 15 transfer mechanism in place for any of the information? (If there is, you should have carried out a transfer risk assessment in relation to this section 15 transfer mechanism and identified whether there is a residual risk that some or all the information will not be sufficiently safeguarded.)
-
Who is the information going to? What kind of organisation is the overseas third party (e.g., a public regulator like PrivCom, an IT company, a parent or service company in your group
-
Where is the overseas third party located?
-
Will the overseas third party send the information to any other organisations? If so, what kind of organisation are they and where are they located?
-
Why are you making the transfer? What will the overseas third party be doing with the information? If the information is going to be sent to other organisations, what will they be doing with the information?
-
If you have carried out a transfer risk assessment, what risks have you identified as not being sufficiently safeguarded by the section 15 transfer mechanism?
-
Who is the information about? Set out the categories of individuals (e.g., customers, employees, or business contacts).
-
What type(s) of information are you transferring and does it include any sensitive personal information, or other more risky types of information such as financial transaction data, location data, or confidential records?
-
Are there protections for the information because of the type of organisation or individual the overseas third party is? Does the overseas third party have to comply with professional rules or other rules which apply in addition to the general legal regime of the destination country (e.g., if the importer is a law firm, it may be subject to rules of professional conduct or rules of privilege)?
-
Are there any other contractual protections (e.g., a confidentiality agreement)?
-
What technological and organisational security measures will the overseas third party have in place to protect the information (e.g., is the information anonymised? Encrypted?)?
-
What is the format of the transferred information (e.g., plain text)?
-
How are you sending the information (e.g., are you transmitting it by email, website encryption or secure file transfer protocol (SFTP))? Or does it involve remote access to information stored in Bermuda?
-
For how long can the overseas third party access the information?
-
How often will these transfers occur?
-
How much personal information are you transferring?
-
When and how would the overseas third party return the information when the purpose is completed?
​