As from the 1st of January 2021 the UK will have left the EU for good. This will result in the GDPR no longer applying directly to UK organisations. Although the provisions of the GDPR will be incorporated in UK law based on the clauses of the Withdrawal Agreement, the exit will still have a significant impact. Especially when it comes to the transfer of personal data. EEA companies relying on the services of UK suppliers will therefore need to review their relationship with these organisations.
Why do UK processors pose a risk?
Under the GDPR those organisations or persons processing personal data on behalf of the controller (organisation or person deciding on the purposes and means, i.e. the ‘what’ and ‘how’ of the processing) are to be considered processors. Since the GDPR has entered into force controllers are required to put in place a contract or other legal act (processing agreement) with those processors in accordance with the provisions of article 28 GDPR. This implies that, amongst other requirements, the contract should include the necessary provisions with regard to the transfer of personal data to a third country or international organisation. In many cases these provisions will be based on the assumption that those processors are located within the EEA and will thus mostly focus on the possible onward transfer of personal data by the processor to any location outside of the EEA. However, after the end of the transition period, the UK itself will be considered as a ‘third country’ under the applicability of the GDPR. This means that transfers of personal data from the EEA to these UK service providers will be restricted and the necessary safeguards need to be in place in order to ensure an equivalent level of protection for the personal data when transferred to or accessed from the UK.
How to transfer personal data to those UK processors?
Personal data could continue to flow freely in case the UK would be granted an adequacy decision by the European Commission. However, despite the incorporation of the GDPR into UK domestic law after the 31st of December 2020, it seems less and less likely that there will be an adequacy decision by the end of this transition period, if even one at all. This is, amongst others, due to the extensive powers granted to intelligence services under UK surveillance laws. Taking this into account, personal data transfers to the UK will need to be covered by a valid alternative transfer mechanism. EEA exporters and UK importers of the personal data will thus need to cooperate and define which of the alternative transfer mechanisms can be implemented.
In practice this will result in another round of supplier reviews and contract negotiations to ensure that the appropriate safeguards with regard to the transfer of personal data are in place. For example controllers can incorporate standard contractual clauses into the existing contract with processors by way of an amendment or use them alongside the existing contract, provided that the terms of the already existing contract do not affect the content of the SCC’s. If standard contractual clauses are practically not workable because of the specificities of the business relationship, the conclusion of ad hoc clauses would be another option, or there might even be the possibility to rely on one of the derogations under art. 49 GDPR (e.g. explicit consent of the data subject, necessity in context of a contract concluded with the data subject,…).
Unfortunately, the GDPR doesn’t offer a “one size fits all”-international data transfer mechanism. The appropriate mechanism for international data transfers should thus be determined on a case by case basis, which will generally require substantial efforts for EEA controllers both in terms of time and means.
Relevance of Schrems II
When deciding upon the appropriate safeguards to be implemented, the consequences of the recent Schrems II decision of the CJEU need to be taken into account as well. An appropriate transfer mechanism should be able to guarantee an “essentially equivalent” level of protection for personal data compared to the level of data protection provided for by the GDPR. Following the Schrems II decision additional measures might need to be taken due to incompatible national legislation.
Conclusion: consider relocation to EEA?
Taking into account the significant efforts that will be required from EEA companies dealing with UK processors, it is definitely worthwhile evaluating the desirability of clinging onto those existing UK service providers.
Nowadays, controllers can already count on many EEA alternatives that offer the same or a highly similar functionality as their UK counterparts, which at the same time avoid the personal data being transferred to the UK and so the applicability of the GDPR rules on international transfers.
CRANIUM, in collaboration with Deltablue, can assist you with this shift from UK to EEA alternatives or move the servers from UK processors to the EEA while you would barely notice it:
Contact us for more information: firstname.lastname@example.org.