By Brahim Benichou, Annemarie Bloemen – Patberg, Terrence Dom, Jacqueline van Essen, Anne Sophie Morvan, Carmen Schellekens, Vincent Wellens
The European Data Protection Board (“EDPB”, a cooperation between the EU’s data protection authorities and the European Data Protection Supervisor) has published an information note on data transfers under the General Data Protection Regulation (“GDPR”) in the event of a no-deal Brexit. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published a Dutch translation and summary on its website. For Luxembourg, this EDPB information may be read in conjunction with the Brexit Guidance published by the Luxembourg Data Protection Authority (CNPD). As expected, a new digital barrier arises in this scenario which requires action from companies ultimately before 30 March 2019.
According to the EDPB’s information note, on 30 March 2019 the United Kingdom will become a “third country” within the meaning of the GDPR in case of no-deal Brexit. Under the GDPR, transfers of personal data to third countries are subject to conditions so that the level of protection of natural persons guaranteed by the GDPR is not undermined.
In relation to Brexit, companies should take the following steps pursuant to the information note:
1. Identify what processing activities will imply a personal data transfer to the UK;
2. Determine the appropriate data transfer instrument for your situation;
3. Implement the chosen data transfer instrument to be ready for 30 March 2019;
4. Indicate in your internal documentation that transfers will be made to the UK;
5. Update your privacy notice accordingly to inform individuals.
Identification of UK personal data transfers
Identification of the processing activities which imply a personal data transfer to the UK entails that companies must determine per processing activity whether there is a connection with the UK that consists of a data transfer. This is not merely the case if a contracting party is UK-based, but e.g. also if a company uses servers that are located in the UK or if access to (EEA based systems which contain) personal data is granted to persons that are located in the UK. Processing activities carried out by processors or sub-processors must also be taken into account and an assessment of existing agreements containing language that personal data will only be processed within the EEA will also be required.
Appropriate data transfer instruments
Until the European Commission adopts an adequacy decision in relation to the UK, the available data transfer instruments consist of (i) Standard and ad-hoc Data Protection Clauses, (ii) Binding Corporate Rules, or (iii) Codes of conduct and certification mechanisms. Further explanations on the harmonized conditions and procedure for using these tools will be published by the EDPB in the future. Some derogations exist (e.g. consent of the data subject), however they should mainly be relied upon for occasional and non-repetitive processing activities.
Out of those three instruments the EDPB mentions, application of the Standard Data Protection Clauses will for many companies form the most suitable and efficient solution for many companies. In its information note, the EDPB calls this a “ready-to-use instrument”. Three sets of Standard Data Protection Clauses are currently available:
– EEA controller to non-EEA (e.g. UK) controller 2001/497/EC;
– EEA controller to non-EEA (e.g. Uk) controller 2004/915/EC; and
– EEA controller to non-EEA (e.g. UK) processor 2010/87/EU.
Alternatively, ad-hoc clauses can be applied, meaning that the Standard Data Protection Clauses will be altered to cater specific situations. In this instance, the tailored contractual clauses must be authorized by the competent national supervisory authority. This will for instance apply where the personal data are transferred from an EEA processor to a non-EEA (e.g. UK) controller or sub-processor, as no Standard Data Protection Clauses are currently available for these scenarios.
Further to the general information note, the EDPB has published a separate information note on Binding Corporate Rules for companies which have ICO as BCR Lead Supervisory Authority.
The EDPB moreover mentions that the internal documentation as well as privacy notices should be updated to reflect that data transfers will be made to the UK. In this respect, “internal documentation” includes internal privacy procedures, codes of conduct and/or data protection policies.
Companies must indicate in their privacy notice(s) whether it is intended to transfer personal data to a third country, whether an adequacy decision exists in relation to the relevant country, and (if applicable) which appropriate data transfer instrument has been put in place and how a copy hereof can be obtained or how it is made available. If the privacy notice is revised, a mere update of the online privacy notice may not be sufficient in order to meet the transparency requirements of the GDPR as the data subjects (the persons to whom the personal data relate) may have to be actively informed of the update – for instance if previously no transfers of personal data to third countries took place.
It follows from the above (and the deadline/Brexit date) that actions are required shortly (albeit the Brexit negotiations are ongoing and should be carefully followed). These actions may be time consuming. This applies for instance where authorization from the national supervisory authority is required.
NautaDutilh’s Benelux Data Protection Team keeps a close eye on Brexit developments and is happy to assist / answer any questions in this respect.
Compiments of NautaDutilh, a member of the EACCNY