Cambridge Quantum Computing (“CQC”, “we”, “us” or “our”) is a world leading independent quantum computing software company. We are committed to safeguarding the privacy of information provided to us.
Data protection legislation limits transfers of personal data to countries outside the European Economic Area (“EEA”) unless:
- The country in question has been deemed to provide an adequate level of protection for personal data by the European Commission; or
- An ‘appropriate safeguard’ listed in the data protection legislation has been put in place or a specific exception applies.
These restrictions are in place as countries outside the EEA are deemed not to provide an adequate level of protection for personal data. This guidance note (“note”) explains the steps that CQC takes in order to ensure that any data transfers made outside the EEA comply with data protection law.
- Scope of Guidance
This note applies only where CQC is transferring personal data to a country outside the EEA. The restrictions imposed by the data protection legislation do not apply to truly anonymised data, which cannot be used to identify individuals.
The EEA includes EU countries (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden) and also Iceland, Liechtenstein and Norway. For further information on the countries in the EU and EEA, please see here.
- Steps Taken Before Making a Transfer Outside the EEA
CQC considers the following steps before making a transfer of personal data outside the EEA:
Step 1 – Is the Data Personal Data?
The ICO defines personal data as “information that relates to an identified or identifiable individual…this only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Step 2 – Necessity Test
CQC assesses whether the processing of personal data is ‘necessary’ for achieving the objective. ‘Necessary’ in this context means that the processing should be a targeted and proportionate way of achieving our objectives, such as for the objective of hiring potential candidates for a job role. If there is no other way, then the processing is considered necessary. If there is another way but it would require disproportionate effort, then CQC may determine that the processing is still necessary.
Step 3 – Transit or Transfer?
If the data is not being transferred and is merely in transit through a non-EEA country (and is not accessible), this will not constitute a transfer outside the EEA.
Step 4 – Data Protection Principles
Once CQC has determined that it is absolutely necessary to transfer personal data to a non-EEA country, it considers whether it has complied with all of the other data protection principles. CQC strives to comply with all relevant data protection requirements and all applicable CQC policies and procedures, not just those which relate to transfers outside the EEA.
Step 5 – Compliance with Data Protection Legislation (Adequacy Decision)
Under current data protection law, transfers outside the EEA may only be made in specific circumstances. The circumstances most likely to be of relevance where CQC transfers data outside the EEA are set out below.
Has the European Commission made an adequacy decision in respect of the relevant country or territory?
If an adequacy decision has been made in respect of the country to which CQC is transferring personal data, then no further steps need to be taken in order to make the transfer. CQC will continue to comply with all relevant provisions of the data protection legislation and all applicable CQC policies and procedures.
A full adequacy decision has been made in respect of the following countries and territories:
- Isle of Man;
- New Zealand;
- Switzerland; and
The adequacy decision therefore applies where personal data is transferred to any type of organisation within these countries/territories.
The Commission has made partial findings of adequacy about Canada and the USA:
- Canada: the adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
- USA: The adequacy finding for the USA only relates to organisations which are certified members of the EU-US Privacy Shield framework. For any data transfers made to the USA, CQC carries out the following checks:
- Checks the Privacy Shield list to see whether the organisation has a current certification; and
- Makes sure the certification covers the type of data to be transferred.
Step 6 – Compliance with Data Protection Legislation (No Adequacy Decision)
If no adequacy decision has been made, i.e., the country the transfer is being made to is not in the list in step 5 above, CQC will:
- Ensure one of the ‘appropriate safeguards’ set out in data protection legislation is in place such as standard contractual clauses (“SCC”). These SCCs are listed in the General Data Protection Regulation (“GDPR”) as an appropriate safeguard and are ‘model clauses’ pre-approved by the European Commission.
- Determine whether a specific exemption set out in data protection legislation applies (see below).
Data protection law sets out certain exceptional circumstances in which a transfer may take place, even where no adequacy applies, and no appropriate safeguards can be put in place.
Below is a brief summary of three exceptions:
- Consent: a transfer may be made where the individual has given explicit, fully informed consent to a specific transfer;
- Contract: transfers may be made where necessary for the performance of a contract: and
- Legal claims: a transfer is allowed where it is necessary for the establishment, exercise or defence of legal claims.
It is highly unlikely that CQC will rely on these exceptions in most circumstances.
- Further Guidance
If you require any further information on the issues raised in this note, please contact our Data Protection Officer at firstname.lastname@example.org.
Last updated: This note was last updated on 10 February 2021. It may be updated further following further guidance published by the UK Information Commissioner’s Office (“ICO”).