Are you an Irish company and do you transfer personal data (such as employee data) to the UK (including Northern Ireland)?
Safe to say the Brexit process has exposed us to more twists and turns than a Hollywood thriller movie. At the time of writing, EU leaders have agreed a further 6-month extension to the end of October 2019, putting Brexit on track for a Halloween exit. Since the only thing certain about Brexit is the uncertainty, this article is intended to address steps for your organisation to take if you are transferring personal data to the UK or are a recipient of personal data from the UK. Halloween or not, good preparation to ensure your company’s data can continue to flow freely between Ireland and UK will mean no scary outcomes for your business.
The EU imposes very high standards of data protection. Under the GDPR and the Irish Data Protection Acts 1988 – 2018, in order to transfer personal data to a country outside the EEA (a ‘third country’), a company must have in place appropriate safeguards to do so.
THE SITUATION CURRENTLY
Being part of the EU means companies located in Ireland can freely transfer personal data to other EU countries (including the UK and Northern Ireland) without the need for any specific safeguards.
After the UK leaves the EU, it will become a ‘third country’ for the purposes of EEA data transfers and you will need to take steps to ensure your data can continue to flow freely to and from the UK.
THE NEXT STEPS
The below table summarises how you can “Brexit proof” your data transfers. In short, if your company transfers personal data to the UK or are a recipient of personal data from the UK, you must ensure you have appropriate safeguards in place.
Appropriate safeguards include:
- Using Standard Contractual Clauses
- Using Binding Corporate Rules
- Relying on an adequacy decision
- Relying on derogations
- Other safeguards (set out in more detail below).
The below briefly explains the various appropriate safeguard options for your company to consider:
Standard Contractual Clauses (SCCs): these are model clauses approved by the EC which implement contractual safeguards between the data exporter and importer. They are available to download on the EC website here and are the most widely used alternative mechanism for transferring data outside the EEA.
Adequacy decision: where the EU determines if a non-EEA country has an adequate level of data protection. If the UK struck such a deal with the EU it would allow for the continued free flow of data. However, this takes time and will likely not be in place if the UK leaves the EU in 2019.
Binding Corporate Rules (BCRs): are internal rules for data transfers within large multinationals which must be approved by the supervising data protection authority. Data transfers under BCRs are limited to internal transfers within the organisation and do not cover transfers to third parties.
Derogations: can be relied upon in the absence of the other transfer mechanisms but have limited applicability, can be difficult to rely upon and have a number of conditions to be met before they can be relied upon.
Other safeguards: SCCs and BCRs are the most frequently used data transfer mechanisms. However, the GDPR does provide for other safeguards, including:
· Code of Conduct or Certification mechanism with binding and enforceable commitments between both parties, which is approved by the relevant supervisory authority. Note no approved codes of conduct are yet in use.
· Contractual clauses approved by the relevant supervisory authority. Currently, most supervisory bodies are not authorising such contracts until guidance is released from the European Data Protection Board.
· Administrative arrangements between public authorities approved by the relevant supervisory authority. Again, most supervisory bodies are not authorising such arrangements until guidance is released from the European Data Protection Board.
For further information in relation to this topic, please contact the team at Crowley Solicitors at mailto:firstname.lastname@example.org or at +353 21 4289560.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Legal advice should always be taken before acting on any of the matters discussed.