Employee Data Privacy

Are there any restrictions on transferring personal data and how can these be overcome?

Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside the United Kingdom. Data transfers typically include the following examples:

• personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to a country outside the UK;
• IT systems or data feeds which lead to personal data being stored on databases hosted outside the UK;
• people/entities outside the UK being able to access or "see" personal data held in the UK; and
• the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.

Cross-Border Data Transfers 

First, it is important to note that the transfer of personal data to a third country or an international organization is possible. The transfer is legally allowed where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. A transfer based on a decision of adequacy shall not require any specific authorization.

In the absence of a decision of adequacy, the personal data transfer to a third country may take place if appropriate safeguards are in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Examples of measures that can be taken include:

• Binding Corporate Rules (BCR): personal data protection policies offer clear sets of rules for businesses engaged in a joint economic activity. They are adhered to by a controller or processor established in the country for transfers of personal data to a controller or processor in one or more third countries.

The BCR must contain: privacy principles (transparency, data quality, security, etc.); tools of effectiveness (audit, training, complaint handling system, etc.); and an element proving that the BCR are binding.

The BCR must be submitted to the data protection authority, and will be amended in collaboration with other data protection authorities. The entire approval process has no established timeframe.

• Standard Contractual Clauses (SCC): clauses that offer sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals.

The purpose of the SCC "is to facilitate the task of processors in the implementation of transfer contracts." Therefore, each new contract must come with SCC. The SCC are not subjected to any authorities’ approval, the main reason why their content cannot be modified. If changes are made, the parties must submit the document for data protection authority approval. 

While SCC generally work well for smaller companies and bilateral data sharing, they might not fit precisely where there is a complex web of processing, and the growth of affiliates abroad may lead to the need to put in place hundreds of SCC.

Adopting BCR and SCC allows organizations to harmonize practices relating to the protection of personal data within a group, avoid the need for a contract for each single transfer, communicate externally on the company's data protection policy, have an internal guide for employees with regard to personal data management, make data protection integral to the way the company carries out its business.

Cross-Border Data Transfers Between the EU and the UK

While the UK has transitioned out of the European Union (EU) as of December 31, 2020, the EU has agreed to delay personal data transfer restrictions between the EU and the UK for a minimum of four months, which may be extended to six months. This extension is meant to enable personal data transfers between the EU and the UK until an adequacy agreement can be put in place. The adequacy agreement will allow the ongoing free international transfer of employee data between the UK and the EU.

Per guidance (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/) put out by the UK, “Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.” Transitional arrangements include:

• permitting the transfer of personal data from UK to the European Economic Area (EEA) and to countries which were covered by a European Commission ‘adequacy decision’ on Dec. 31, 2020;
• allowing employers (and others) to continue to use EU SCCs that were valid on Dec. 31, 2020, both for existing restricted transfers and for new restricted transfers;
• allowing certain BCRs to transition to the UK.