Under the GDPR, aside from transfers to jurisdictions that are officially recognised by the Commission as adequate, both Controllers and Processors may only transfer personal data outside the EU if they incorporate the appropriate safeguards and on the condition that enforceable rights and effective legal remedies are available for their data subjects. One key option in this regard is that of Standard Contractual Clauses (SCCs) or ‘model clauses’. SCCs are standard sets of contractual terms and conditions which the sender and receiver of the personal data both subscribe to. They incorporate a series of contractual obligations which help to protect personal data when it flows out of the EEA, and thus the blanket protection of the GDPR.
With regard to Brexit, once the UK leaves the EU and following the end of the transition period, unless the requisite steps are taken to ensure the UK is deemed by the European Commission to have an ‘adequate’ data protection regime, current data flows will require separate mechanisms to continue flowing freely and in a compliant manner. From that point onwards, the EU-based entity transferring data into the UK will need to take the appropriate steps to ensure it can rely on SCCs for lawfully transferring personal data outside the EEA. This will generally be applicable in the case of small and medium-sized organisations, though for larger organisations that already have well-established transfer mechanisms, this method may not suit your needs. It is the EEA-based sender of the personal data which must comply with the GDPR rules, however, the UK-based receivers may also wish to assist in this regard to ensure data continues to flow.
Some technology companies, namely Microsoft, Amazon Web Services and Google have already pioneered the idea of obtaining the approval of the respective Data Protection Authorities for their own versions of data transfer agreements. This is encompassed within Art.46.3 of the GDPR and the advantage of this approach is that companies may enjoy greater flexibility in the ways that they contractually commit to the protection of their data subjects’ personal data. This allows them to adopt more realistic contractual obligations they are less likely to breach.
Practical steps to take during the transition period:
It is recommended that organisations who are currently transferring personal data from within the EEA to the UK should:
1. Confirm what personal data flows currently take place, or those planned in the near future.
2. Consider what steps are required to ensure that said data flows remain compliant under the GDPR following the end of the transition period is said adequacy decision is not reached, such as the implementation of SCCs.
3. Act to ensure the appropriate mechanisms are placed prior to the leave date, or failing that, as soon as possible. If you have any queries or concerns in this regard, please do not hesitate to contact your Account Manager. Sytorus’ team of consultants will be happy to assist and ensure that appropriate SCCs are relied upon using your support hours through PrivacyEngine.