Chalmin Data Tip of the month.
The European Data Protection Board last week published Recommendations 01/2020 on measures that supplement transfer tools (particularly the standard contractual clauses) to ensure compliance with the EU level of protection of #personaldata in light of the decision of the Court of Justice of the European Union in Schrems II
Step 1 – Map all your third country transfers
Step 2 – Verify the transfer tool your transfer relies on
Step 3 – Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on.
Step 4 – Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence (see Annex 2).
Step 5 – Take any formal procedural steps the adoption of your supplementary measure may require.
Step 6 – Re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
On the same day new SCC s where published for consultation, we should see those coming into being late December or thereabouts.
So what does that mean for you?
What will most likely happen is that customers will use the suggested “supplementary measures” listed in the EDPB’s recommendations (at Annex 2) as a shopping list to negotiate into deals with vendors. There’ll be a lot of back and forth to find a middle ground acceptable to both parties. Encryption, contractual commitments around how to handle government data access, and transparency reporting will likely be the most common place.
Brexit
Are you an Irish company that transfers personal data to the UK ?
The withdrawal agreement has preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Without additional actions, UK based processing of EU personal data will be illegal.
How do you ascertain ways you might be transferring data to a UK-based company, ask yourself the following questions:
- Are you outsourcing your HR, IT or Payroll function to a UK based organisation?
- Are you using a UK based marketing company to send marketing communications to your customer database?
- Is your pension scheme based in the UK?
- Are you storing data in the UK on a server or in the cloud?
In a ‘No Deal’ Brexit scenario you will need to put extra measures in place to legally transfer this data
EU based data controllers are not permitted to transfer personal data outside the EU/EEA unless those standards are maintained.
In a “no-deal” Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. It will have to look for an Adequacy Ruling like Japan in time. This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia or India etc.
What this means in practice is that, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” or “SCCs” or” Model Clause Agreements “and this is likely to be relevant to most Irish businesses that transfer personal data to the UK.
The SCC’s consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient both sign up to. The basic idea is that each of the parties to the contract gives contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country. Importantly, the data subject is also given certain specific rights under the SCCs even though he or she is not party to the relevant contract. As I said above there are new SCC s about to come into play.
We can help you prepare and give you piece of mind. You can e mail gail@chalmindataprivacy.ie