Search
Generic filters
Exact matches only
Filter by Custom Post Type
Data

Further guidance on data transfers in the event of a no-deal Brexit

Following guidance issued by issued by DCMS and the ICO at the end of last year (discussed in our bulletin), the European Data Protection Board (EDPB) has published its own information notice on data transfers from the EEA to the UK post-Brexit in the event of a no-deal.  The notice confirms that, after 29 March 2019, if the UK leaves without a deal, transfers of personal data from the EEA to the UK can only take place using:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Codes of Conduct and Certification Mechanisms
  • Derogations (including, for example, explicit consent of the data subject)

Personal data transfers from the UK to the EEA will, at least transitionally, be allowed to continue as currently, due to the UK government’s decision to recognise the EU’s data protection regime as adequate.

The EDPB identifies the following five steps that a business should take to prepare in relation to transfers of personal data from the EEA to the UK:

  1. Identify its processing activities that will involve a personal data transfer to the UK
  2. Determine the appropriate data transfer instrument for its situation
  3. Implement the chosen data transfer instrument to be ready for 30 March 2019
  4. Indicate in its internal documentation that transfers will be made to the UK
  5. Update its privacy notice accordingly to inform individuals

The most likely mechanism to be used for such transfers will be SCCs adopted by the European Commission.  The EDPB stresses that these are a ‘ready to use’ instrument and must not be modified (although they can be included in a wider contract, and additional clauses may be included provided they do not contradict the SCCs).

In addition to considering data flows between the UK and the EEA, businesses need to consider data flows from the UK to other territories, and compliance with the new ‘UK GDPR’ that will be in effect on Exit day (through The Data Protection, Privacy and Electronic Communications (Amendments etc) EU Exit) Regulations 2019 – discussed in our bulletin).

In particular, the UK government has decided to adopt adequacy decisions already adopted by the EU, including, in relation to the United States, the partial adequacy decision in the form of the Privacy Shield.  The US Department of Commerce has issued guidance to Privacy Shield participants confirming that they should update their Privacy Shield commitments (i.e., in their Privacy Notices and any relevant HR privacy policy) by Exit day to include reference to the UK, and also to maintain a current Privacy Shield certification. The UK government has also issued a further draft statutory instrument (The Data Protection, Privacy and Electronic Communications (Amendments etc) (No 2) Regulations 2019) which also provides that, in a no-deal scenario, transfers of personal data from the UK in reliance on the Privacy Shield can only take place if the certified Privacy Shield company has a compliant privacy policy.  Businesses transferring personal data to the US should therefore bear this requirement in mind when making transfers post Exit.

Shaper: Neil Wright

As Founder and Managing Director of World Wide Internet Insurance Services (WWIIS), the parent company of Cover For You, Cedar Tree, Insurance & Escape and Outbacker, Neil Wright is not your average insurance type. Following a 10-year military career that began at the Royal Military Academy Sandhurst, Neil served in The Queen’s regiment all over the world [...]

Read More...

Jazz Shapers - 2 days ago

Shaper: Dame Rosemary Squire OBE

Dame Rosemary Squire OBE is one of the most prominent women in British theatre of the modern era. Since she co-founded the Ambassador Theatre Group in 1992, it has gone onto become the world’s number one live-theatre company.  In 2016, Squire stepped down from her post as CEO to move into a new creative phase.  [...]

Read More...

Jazz Shapers - 1 week ago