GDPR and Brexit – an important update for organisations receiving or processing personal data from Europe
A recent update from the Information Commissioner highlights a critical data-protection requirement for businesses and organisations which receive personal data from other parts of the European Economic Area.
By “Brexit day” – currently scheduled for 29 March 2019 – businesses and organisations which receive personal data from elsewhere in the EEA will need to choose and implement one of a number of mandatory “safeguards” for the data protection rights of EU citizens.
This reflects the fact that the UK will cease to be part of the EEA on Brexit day, and will therefore be subject to the same rules as are already in place to protect EU citizens where their data is transferred to non-EEA countries.
Most organisations will find that the only “safeguard” available will require them to put standard-form EU model contracts in place with their customers (known as “standard contractual clauses”). If this is not done, the UK organisation’s European partners are likely to be in breach of their obligations under European law. This will be the case even if the sender is part of the same group of companies or otherwise operates as part of the same “business”.
Your organisation may be affected if:
1. You receive EU citizens’ data from a data controller and process it on their behalf as a data processor (a “controller to processor” transfer);
2. A data controller shares EU citizens’ personal data with you which you use for your own purposes (a “controller to controller” transfer); or
3. Your organisation is a “sub-processor” for an EEA organisation which processes data for a customer.
Your organisation is unlikely to be affected if you transfer personal data to organisations in the EEA but don’t receive any back.
Fines could be imposed up to the normal limits under the GDPR – the higher of (1) 20 million euros or 4% of annual turnover for data controllers, and (2) 10 million euros or 2% of annual turnover for data processors.
The Information Commissioner’s Office has indicated that the EEA data controller will bear primary liability if there is no “safeguard” in place by Brexit day. But as with many things “Brexit”, it is far from certain that UK organisations can rely on this to escape liability. And as EU organisations will need to comply with the law, failure to put the standard contractual clauses could interrupt data flows and business relationships between your organisation and Europe.
The ICO provides a useful “interactive tool” for SMEs wanting to determine if they need to put “safeguards” in place before 29 March. It can be found at: https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/
PDT’s data privacy team can help you understand whether you will be affected and put in place the necessary safeguards, which must be in place by 29 March. Contact Ian Lindley to see how we can help.
The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.