Hi! I would like to acquire an advice on how to approach data security obligations within an internationally based organisation which is headquartered in the UK. The company would be collecting data from a 3rd country and part of that data would be stored and processed in Serbia (by the company officers, within the organisations' premises, not 3rd parties). Would the organisation in this case be transferring personal data outside EEA? Storing and transferring would be done by the drop box cloud services. Thank you!
If the headquarter of the organization is in the United Kingdom, then UK GDPR would apply mainly. According to article 3 – Territorial scope – from EU GDPR, the Regulation would apply only if the company would offer goods or services to people in EEA, or if it monitors the behavior of people in EEA. If the data is stored in Serbia, then a transfer takes place from the UK to Serbia. According to UK GDPR, which is almost the same as EU GDPR (with EU references removed), a suitable transfer mechanism should be used for compliant personal data transfer. In this case, the best transfer mechanism would be UK Standard Contractual Clauses. ICO, UK’s Data Protection Authority issued some new SCCs, called IDTAs (International Data Transfer Agreement) that can be used starting March 21, 2022.
You could explore developing Binding Corporate Rules (BCRs) for intra-group personal data international transfers, but they need to be approved by the supervisory authority (ICO in this case).