The Data Protection Commission recently issued guidance on the transfer of personal data from Ireland to the UK in the event of a ‘No-Deal’ Brexit.
- Are you an Irish company that transfers personal data to the UK (including Northern Ireland)?
See below a non-exhaustive list of examples of ways you might be transferring data to a UK-based company
- Are you outsourcing your HR, IT or Payroll function to a UK based organisation?
- Are you using a UK based marketing company to send marketing communications to your customer database?
- Is your occupational health provider based in the UK?
- Is your pension scheme based in the UK?
- Are you using translation/transcribing services of a UK based company where you might be sending personal data of employees, customers or suppliers?
- Are you using a UK based company to analyse data on visitors to your website?
- Are you storing data in the UK on a server or in the cloud?
- In a ‘No Deal’ Brexit scenario you will need to put extra measures in place to legally transfer this data
- In the EU we have very high standards of data protection. EU based data controllers are not permitted to transfer personal data outside the EU/EEA unless those standards are maintained.
- In a “no-deal” Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia, India or Brazil.
- What this means in practice is that, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
- This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred.
- One such way is the use of “Standard Contractual Clauses” or “SCCs” and this is likely to be relevant to most Irish businesses that transfer personal data to the UK.
- The SCCs consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient (often acting as a Data Processor) both sign up to. The basic idea is that each of the parties to the contract gives contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country. Importantly, the data subject is also given certain specific rights under the SCCs even though he or she is not party to the relevant contract.
- The SCCs can be adopted by putting in place a stand-alone or new contract between the Irish-based controller and the UK-based recipient. As well as setting out the SCCs, that contract may also include other commercial clauses provided those other clauses do not affect the operation of the SCCs or reduce data subject’s rights. Likewise, any additional commercial clauses must not reduce the level of protection which the UK-based entity is required to provide for the transferred data. An example of the kind of commercial clause that is permitted is a provision under which the UK entity indemnifies the Irish controller against a breach by the UK entity of its obligations under the contract.
- Alternatively, where the Irish-based controller and UK-based processor already have a contract in place between them, as required by Article 28(3) of the GDPR, they may decide to incorporate the SCCs into that existing contract. Again, this is provided that its terms do not affect the SCCs or reduce the data subject’s rights, and provided its terms do not reduce the level of protection which the UK processor is required to provide for the transferred data. Depending on the particular form and terms of their existing contract, this outcome could be achieved by means of a written variation.
You can find further information and Standard Contractual Clauses here
It is important to bear in mind that SCCs (and indeed any of the other mechanisms used to facilitate the lawful transfer of data out of the EU/EEA) are not an end in themselves. Care is required to ensure that, operationally, transfers are conducted and managed in a way that ensures that personal data is at all times protected to the level contemplated by the GDPR and that the obligations assumed by the parties under the terms of their SCCs contract are in fact discharged in practice. Like all other elements of the data processing arrangements of a business, planning is required to ensure compliance with GDPR requirements generally.
You can find more GDPR information here