If you are an EEA-based data controller who has appointed a UK-based processor to process personal data under the General Data Protection Regulation 2016/679 (GDPR), you will now need to review your processes.
To date, this transfer of personal data between two EEA/ EU states has posed no difficulty as this is a permitted transfer under the GDPR, subject to the putting into place of a controller-processor agreement between the parties.
But from the end of the transition period at the end of December, the GDPR will no longer apply to the UK, which will become a third country for the purposes of personal data transfers under the GDPR, meaning that personal data transfers cannot continue on the same basis as before.
How can we continue to transfer personal data to the UK processor?
The ideal situation would be if the UK were to receive an ‘adequacy decision’ from the European Commission immediately following the end of the transition period.
If that happens, the UK is then deemed to be a third party outside the EEA which meets the standards of security and protection of the GDPR, and personal data may continue to be processed from the EEA to the UK in an unfettered way, subject to the controller-processor agreement.
If the adequacy decision for the UK is delayed, or even refused, then what?
After the transition period, if there is no immediate adequacy ruling, then the UK officially becomes a ‘third country’ under the GDPR, and personal data transfers are restricted.
This does not mean that they cannot happen at all, but if personal data is transferred from the EEA, it must be transferred subject to certain safeguards set out in the GDPR. In this case, those are likely to be either Standard Contractual Clauses or Binding Corporate Rules, both of which are explained below:
Standard Contractual Clauses (SCCs)
These are clauses approved by the European Commission to include the contractual provisions required to match the GDPR. The EEA-based data controller would enter into these SCCs (in addition to whichever other contract they may enter into) with the UK-based data processor. Providing these SCCs are signed and the parties abide by them, the data transfer can continue to take place as before.
Binding Corporate Rules (BCRs)
If the EEA-based data-controller and the UK based data-processor are members of the same international group of companies, it may be convenient for the group to rely on BCRs as an alternative to SCCs, but the function and effect are similar.
The EEA-based data-controller may also make the transfer to a UK based processor relying on the explicit consent of the individual data subject to the transfer; such explicit consent must be obtained before the transfer.
If the transfer of the personal data is essential to the performance of a contract entered into by the data subject, it can take place without the explicit consent of the individual data subject. For example, if an individual books a holiday in the UK through a Belgian travel agent (who is the data controller), the travel agent will have to pass that person’s data to, say, the hotel in the UK, and this is permitted.
There are other exceptions covering one-off transfers of personal data, but these really are intended to be for exceptional transfers and not relied on for regular transfers of personal data out of the EEA into the UK.