Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside the United Kingdom. Data transfers typically include the following examples:
personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to a country outside the UK;While the UK is transitioning out of the European Union, the GDPR will continue to apply through December 2020. The Data Protection Act 2018 largely mirrors the GDPR and will continue in full force beyond the transition period.
First, it is important to note that the transfer of personal data to a third country or an international organization is possible. The transfer is legally allowed when the EU Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. A transfer based on a decision of adequacy shall not require any specific authorization.
In the absence of a decision of adequacy, the personal data transfer to a third country may take place if appropriate safeguards are in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The GDPR enforced adequacy mechanisms that were already adopted in the previous Directive and transposed by the French data protection law, such as:
The BCR must contain: privacy principles (transparency, data quality, security, etc.); tools of effectiveness (audit, training, complaint handling system, etc.); and an element proving that the BCR are binding.
The BCR must be submitted to the data protection authority, and will be amended in collaboration with other data protection authorities. The entire approval process has no established timeframe.
The EU Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU and one set for the transfer to processors established outside the EU.
The set “controller (EU) and processor (non-EU)" has been also used as the SCC for processors and sub-processors. The GDPR mentions the addition of new SCC for processors and sub-processors. Such clauses are not yet approved but there is a draft available for consultation.[1]
The purpose of the SCC "is to facilitate the task of processors in the implementation of transfer contracts." Therefore, each new contract must come with SCC. The SCC are not subjected to any authorities’ approval, the main reason why their content cannot be modified. If changes are made, the parties must submit the document for data protection authority approval.
While SCC generally work well for smaller companies and bilateral data sharing, they might not fit precisely where there is a complex web of processing, and the growth of affiliates abroad may lead to the need to put in place hundreds of SCC.
Adopting BCR and SCC allows organizations to harmonize practices relating to the protection of personal data within a group, avoid the need for a contract for each single transfer, communicate externally on the company's data protection policy, have an internal guide for employees with regard to personal data management, make data protection integral to the way the company carries out its business.
There are potential impacts to cross-border data transfers that employers should be aware of in the event the United Kingdom leaves the European Union with no agreement in place.
Data transferred from the UK to the EU: Per guidance (https://www.gov.uk/guidance/using-personal-data-after-brexit) put out by the UK , “During the transition period, personal data will be able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK. UK organisations will still be able to send personal data legally from the UK to the EEA and 13 countries deemed adequate by the EU.” In the long term, the UK plans to work with the EU to put an adequacy decision in place, which will allow the free international transfer of employee data between the UK and the EU.
Data transferred from the EU to the UK: Transferring EU employee data to the UK may become more complex, at least in the short-term. For many employers, this can mean creating or updating standard contractual clauses, also known as SCCs. This is the common practice for most 3rd party countries. SCCs are contractually agreed to personal data protection processes which help facilitate the safe transfer of personal data. The UK’s Information Commissioner’s Office has posted guidance (https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/) that employers can use when considering standard contractual clauses.
HR Best Practices: For intragroup transfers (such as access from a subsidiary outside the UK), make sure to have at least one safeguard mechanism in place: BCR “Controller to Controller” or SCC signed with the concerned subsidiary. For cross-border data transfer with processors or sub-processors, make sure such collaborators have their own safeguard mechanisms in place.
The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside the UK when an adequate level of protection is ensured and access by subsequent entities remains limited to the minimum necessary for the intended purpose.
__________________________________________
