GDPR, like earlier data protection law, differentiates between holding personal data in EU Member States and holding it in countries outside the EU called “third countries”. There are extra compliance requirements if you transfer personal data to a third country.
Following Brexit the UK will be a third country to the other EU Member States so it is important to consider the compliance solutions now. A soft Brexit might include provision for the UK to be treated as having adequate legal protection for personal data and subject rights but a hard Brexit will not. The UK will be treated as a third country and, if your business handles personal data relating to citizens in other EU Member States it is recommended that
The timing is critical now, not only do you need to decide on the best strategy and engage with customers and partners in other EU Member States, but also to revise your privacy notices. Corporate partners in the EU also need to revise their privacy notices to show that they export personal data to the UK and how that data is protected in a third country.
There are two main solutions to the issue of ensuring compliance for personal data from the EU. If your business collects personal data indirectly, via a business located within the EU, then the appropriate route is to adopt the EU model clauses into your existing agreement with that business. The model clauses are the approved legal framework to guarantee data protection compliance and the enforceability of subject rights against organisations located in third countries. They have to be adopted “as is”, to make any amendments would weaken them. There are several versions of two basic sets of clauses: those between controller and controller and those between a controller and a data processor. A controller is the decision maker about how the data is processed and why. The data processor is a service provider, fulfilling the instructions of the controller.
Even if your existing processes involve data collection direct from data subjects in other EU Member States it is worth considering “passporting” data in from the EU via an organisation located within it and putting the model clauses in place. The alternative is to obtain the consent of individual data subjects which has its own problems.
If your business collects personal data direct from data subjects, via online retail for example, and there is no possibility of “passporting” their data to the UK, then the most appropriate route it to obtain the consent of the data subjects to the transfer of their personal data to the UK. Consent must be informed and specific so it would be appropriate to explain that the UK has adopted GDPR and that legislation is in place to ensure that GDPR standards will continue to apply in the UK. Consent must be revocable so ensure that the website allows subjects to withdraw their consent and prepare a response to explain the circumstances if you have to retain their data for legal reasons, for example to evidence an online purchase.
Appointing a representative
Regardless of hard or soft Brexit there will be a need for Appointed Representatives in some cases. GDPR provides that organisations located outside the EU that offer of goods or services to EU citizens must appoint a Representative in each Member State where they have customers. This is to facilitate communication between the organisation and the local supervisory authority. An appointed representative is also required if citizens are being monitored by organisations located outside the EU.
So, a business that sells to French consumers will require an appointed representative in France. An online business selling across the EU will be required to designate a representative in each member state. There is a saving provision, an appointed representative is not required if the processing is both occasional and does not include large scale processing of special category data (health, race, religion, philosophical beliefs, TU membership, genetic and biometric data, details of sexuality or sex life, criminal convictions) and is unlikely to present a risk to the rights and freedoms of data subjects.
As a rule of thumb, if your organisation has designated a Data Protection Officer, that indicates that your data processing activities represent a certain level of risk and it may be difficult to argue that the saving provision will apply in that case.
Representatives should be appointed in writing authorising that person/company to “be addressed” either as well as or in place of the controller/processor. Communication will be from supervisory authorities and data subjects on all issues related to personal data processing and for purposes of ensuring compliance with GDPR.
The UK disapplied Article 27 in the Data Protection Act 2018 so there is no equivalent requirement for controllers in the EU to appoint a representative if they process personal data relating to UK citizens.
Once a strategy has been decided and implemented, it needs to be explained to data subjects in the privacy notice. This means changing documentation, customer paperwork and the website privacy notice. As ever, keep a record of compliance activity so that you can demonstrate to the supervisory authority (the Information Commissioner’s Office in the UK) that steps have been taken to comply with the law.
The DP-Smart Toolkit contains detailed guidance on what is required and includes template contracts and information on how to prepare privacy notices. Find us here at www.dataprotection.me.uk