Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside the United Kingdom. Data transfers typically include the following examples:
First, it is important to note that the transfer of personal data to a third country or an international organization is possible. The transfer is legally allowed where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. A transfer based on a decision of adequacy shall not require any specific authorization.
In the absence of a decision of adequacy, the personal data transfer to a third country may take place if appropriate safeguards are in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Examples of measures that can be taken include:
The BCR must contain: privacy principles (transparency, data quality, security, etc.); tools of effectiveness (audit, training, complaint handling system, etc.); and an element proving that the BCR are binding.
The BCR must be submitted to the data protection authority, and will be amended in collaboration with other data protection authorities. The entire approval process has no established timeframe.
The purpose of the SCC "is to facilitate the task of processors in the implementation of transfer contracts." Therefore, each new contract must come with SCC. The SCC are not subjected to any authorities’ approval, the main reason why their content cannot be modified. If changes are made, the parties must submit the document for data protection authority approval.
While SCC generally work well for smaller companies and bilateral data sharing, they might not fit precisely where there is a complex web of processing, and the growth of affiliates abroad may lead to the need to put in place hundreds of SCC.
Adopting BCR and SCC allows organizations to harmonize practices relating to the protection of personal data within a group, avoid the need for a contract for each single transfer, communicate externally on the company's data protection policy, have an internal guide for employees with regard to personal data management, make data protection integral to the way the company carries out its business.
While the UK has transitioned out of the European Union (EU) as of December 31, 2020, the EU has agreed to delay personal data transfer restrictions between the EU and the UK for a minimum of four months, which may be extended to six months. This extension is meant to enable personal data transfers between the EU and the UK until an adequacy agreement can be put in place. The adequacy agreement will allow the ongoing free international transfer of employee data between the UK and the EU.
Per guidance (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/) put out by the UK, “Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.” Transitional arrangements include:
HR Best Practices: For intragroup transfers (such as access from a subsidiary outside the UK), make sure to have at least one safeguard mechanism in place: BCR “Controller to Controller” or SCC signed with the concerned subsidiary. For cross-border data transfer with processors or sub-processors, make sure such collaborators have their own safeguard mechanisms in place.
The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside the UK when an adequate level of protection is ensured and access by subsequent entities remains limited to the minimum necessary for the intended purpose.