How to implement a personal data transfer mechanism?

Author info

Even if the UK does not provide an adequate level of protection of personal data as required by the GDPR, a transfer of personal data to the UK will still be possible if you choose and implement one of the available personal data transfer mechanisms.

4.1. Standard Contractual clauses seem to be the only possibility

From the personal data transfer mechanisms described in the previous blog article, the standard contractual clauses seem to be the only possibility for EEA-based companies transferring personal data to the UK that can realistically be implemented by the withdrawal date.

There are multiple versions of the standard contractual clauses:

  • Contractual clauses for transfers from a controller to a controller
    (model 2004/915/CE);
  • Contractual clauses for transfers from a controller to a processor
    (for contracts prior to 15 May 2010: 2002/16/CE; for new contracts since 15 May 2010: 2010/87/EU). Please be advised that the Article 29 Working Party has elaborated FAQs (WP176) about contractual clauses following Decision 2010/87/EU.

When an EEA-based data exporter and a UK-based importer sign standard contractual clauses, they provide an adequate level of protection by means of an agreement by themselves.

It is not required to obtain the supervisory authority’s prior approval when implementing the standard contractual clauses. However, the standard contractual clauses have be presented at the supervisory authority’s request.

The current versions of the standard contractual clauses were drawn up before the entry into force of the GDPR. Timelex is currently assisting the European Commission in adapting the current standard contractual clauses to the GDPR. For this assessment, the views of various stakeholders were gathered. The final outcome of this assessment is expected later this year. If you want to be kept informed of this assessment, please follow us on LinkedIn.

4.2. Other data transfer mechanisms are unlikely

As the current withdrawal date is 1 November 2019, it is unlikely that it will be possible to rely on any of the other personal data transfer mechanisms:

  • There is no adequacy decision, because the UK is still part of the EEA. Additionally, before coming to such a decision, the European Commission performs a thorough assessment of the non-EEA national data protection system concerned making sure it provides adequate safeguards similar to those offered in the EEA. At the moment, the European Commission is not carrying out a such an assessment which usually takes some time as well. Recently, Timelex assisted the European Commission with its adequacy assessment for Japan leading to the EU adequacy decision for Japan.
  • Other data transfer mechanisms rely on the authorisation of a supervisory authority and possibly also the European Data Protection Board, meaning that it would take too much time to obtain the authorisation before the current withdrawal date. Data transfer mechanisms requiring authorisation are ad-hoc contractual clauses and binding corporate rules. The UK’s supervisory authority (the ICO) acknowledged that it will not authorise ad-hoc contractual clauses before the withdrawal date.
  • Derogations have to remain the exception. Relying on a derogation to transfer personal data on a repetitive basis is not allowed because the derogations have to remain the exception and not the rule.

Related

This article is part 4 of a serie of 6 articles about Brexit:

  1. Do I have to take into account the GDPR after Brexit?
  2. How to identify whether your processing activities are impacted by Brexit?
  3. Which personal data transfer mechanisms can you use?
  4. How to implement a personal data transfer mechanism?
  5. How to update your privacy policy and internal documents?
  6. Which supervisory authority is competent after Brexit?