International Transfers
We are part of a global association of accountants and in common with other professional service providers, we sometimes use organisations located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our customers are located.
We will neither transfer nor process personal data outside the country in which a customer has contracted, nor will we permit personal data to be so transferred or processed by a third party, unless it is under one of the following conditions:
- With your consent;
- the territory into which the data are being transferred has an adequacy decision issued by the European Commission (under EU GDPR) or an adequacy regulation made under DPA2018 section 17A by the Secretary of State (under UK GDPR);
- the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission (under EU GDPR) or the Secretary of State (under UK GDPR);
- the transfer is made under the provision of binding corporate rules which have been approved and certified by the European Commission (under EU GDPR) or the Commissioner (under UK GDPR);
- the transfer is made in accordance with one of the exemptions set out in GDPR Article 49.
International Transfers to United States of America
Some of our processors, such as Microsoft, are ultimately US-owned, but our contracts are with their UK or EU entities, subject to UK GDPR and EU GDPR legislation respectively. We have risk-assessed our continued usage of such US-owned service providers in compliance with European Data Protection Board guidance. We continually keep under review the requirements which are imposed by applicable legislation.
Some of our processors who host personal data in the United States of America comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. See here for a list of participating organisations.