Search
Generic filters
Exact matches only
Filter by Custom Post Type
Data

Further guidance on data transfers in the event of a no-deal Brexit

Following guidance issued by issued by DCMS and the ICO at the end of last year (discussed in our bulletin), the European Data Protection Board (EDPB) has published its own information notice on data transfers from the EEA to the UK post-Brexit in the event of a no-deal.  The notice confirms that, after 29 March 2019, if the UK leaves without a deal, transfers of personal data from the EEA to the UK can only take place using:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Codes of Conduct and Certification Mechanisms
  • Derogations (including, for example, explicit consent of the data subject)

Personal data transfers from the UK to the EEA will, at least transitionally, be allowed to continue as currently, due to the UK government’s decision to recognise the EU’s data protection regime as adequate.

The EDPB identifies the following five steps that a business should take to prepare in relation to transfers of personal data from the EEA to the UK:

  1. Identify its processing activities that will involve a personal data transfer to the UK
  2. Determine the appropriate data transfer instrument for its situation
  3. Implement the chosen data transfer instrument to be ready for 30 March 2019
  4. Indicate in its internal documentation that transfers will be made to the UK
  5. Update its privacy notice accordingly to inform individuals

The most likely mechanism to be used for such transfers will be SCCs adopted by the European Commission.  The EDPB stresses that these are a ‘ready to use’ instrument and must not be modified (although they can be included in a wider contract, and additional clauses may be included provided they do not contradict the SCCs).

In addition to considering data flows between the UK and the EEA, businesses need to consider data flows from the UK to other territories, and compliance with the new ‘UK GDPR’ that will be in effect on Exit day (through The Data Protection, Privacy and Electronic Communications (Amendments etc) EU Exit) Regulations 2019 – discussed in our bulletin).

In particular, the UK government has decided to adopt adequacy decisions already adopted by the EU, including, in relation to the United States, the partial adequacy decision in the form of the Privacy Shield.  The US Department of Commerce has issued guidance to Privacy Shield participants confirming that they should update their Privacy Shield commitments (i.e., in their Privacy Notices and any relevant HR privacy policy) by Exit day to include reference to the UK, and also to maintain a current Privacy Shield certification. The UK government has also issued a further draft statutory instrument (The Data Protection, Privacy and Electronic Communications (Amendments etc) (No 2) Regulations 2019) which also provides that, in a no-deal scenario, transfers of personal data from the UK in reliance on the Privacy Shield can only take place if the certified Privacy Shield company has a compliant privacy policy.  Businesses transferring personal data to the US should therefore bear this requirement in mind when making transfers post Exit.

Shaper: Marcus Wareing

Marcus Wareing is a celebrated chef and Co-Founder of Marcus Wareing Restaurants. Marcus studied at Southport Catering College and was Gordon Ramsay’s protégée for 19 years. He was awarded his first Michelin Stars at 26, one of only a handful of chefs to be recognised at that age. His awards now include two Michelin stars, [...]

Read More...

Jazz Shapers - 1 day ago

Business Shapers: Sir John Timpson

Mishcon de Reya has created its latest animated business shapers film featuring Sir John Timpson, Chairman of Timpson Group, who was a guest on Jazz Shapers. Broadcast on Jazz FM, Jazz Shapers is a radio programme presented by Mishcon de Reya Partner and Director of Business Development, Elliot Moss. This three minute film documents the personal and entrepreneurial [...]

Read More...

Jazz Shapers - 2 days ago