Running a Compliant Business

International Data Transfers

When using overseas tools or storage counts as an international transfer, and what the Act expects you to do about it.

Intermediate 12 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What counts as an international transfer
  • What the eighth standard requires
  • How everyday cloud tools are affected
  • Practical steps to transfer data responsibly

Overview

Most businesses use tools hosted overseas without thinking about it: email, cloud storage, accounting software, marketing platforms. When personal data lives or is processed outside Jamaica, that is an international transfer, and the Act has something to say about it.

Why this matters

Data sent abroad can fall under different rules and protections. The Act wants to make sure your customers' data stays protected even when it leaves Jamaica. Since so many everyday tools are hosted overseas, this affects almost every business.

What counts as a transfer

A transfer happens whenever personal data is stored or processed outside Jamaica. That includes:

  • cloud storage and email hosted abroad
  • overseas software and platforms that hold your data
  • backups kept on overseas servers
  • a head office or partner abroad accessing the data
Note. You do not have to physically send a file for a transfer to happen. Storing data in an overseas cloud is itself a transfer.

What the law says

The eighth standard (within sections 22 to 31) says personal data should not be transferred outside Jamaica unless there is appropriate protection for it. The Act sets the framework; the specific safeguards that satisfy it should be confirmed against the Act and current guidance.

Legal note. What counts as "appropriate protection" can depend on the destination and the arrangement. Confirm the position for your specific tools rather than assuming.

Everyday cloud tools

Common platforms such as international email, storage, and marketing tools usually involve transfers. That does not make them off-limits, but you should:

  • know where your data is stored
  • check the provider's protection and terms
  • disclose the transfer in your privacy notice

Practical steps

  1. List the tools and providers that hold your personal data.
  2. Note which store or process data outside Jamaica.
  3. Check each one's data location and protection.
  4. Update your privacy notice to mention overseas transfers.

Common mistakes

  • Assuming "the cloud" has no location.
  • Forgetting that overseas backups are transfers.
  • Saying nothing about transfers in the privacy notice.

Best practices

  • Map where your data actually lives.
  • Prefer providers that are clear about data location and protection.
  • Be transparent with customers about transfers.

Put this into practice

Make sure your notice tells people about any overseas transfers.

Update your privacy notice

Frequently asked questions

Yes. If your data is stored or processed on servers outside Jamaica, that is an international transfer, even with a well known provider.

Key takeaways

  • Storing or processing data outside Jamaica is an international transfer.
  • The eighth standard requires appropriate protection for transferred data.
  • Many everyday cloud tools involve transfers, so check them.
  • Be transparent in your privacy notice about overseas transfers.

Related

Ask the Privacy Assistant

Beta