Given the continuing uncertainty and proximity in relation to Brexit (29th March 2019 at the time of writing!), it is important now for businesses and organisations, who are likely to be Brexit impacted either directly or indirectly, to get a good sense of what actions might need to be taken in order to minimise any potential negatives on their data flows generally.
A good place to start self-informing is the Data Protection Commission website. The office outlines helpful guidance which is included in the note below.
The first question to ask and answer is whether you are an Irish company transferring personal data to Northern Ireland or the United Kingdom?
Examples of relevant data transfers include:
- Payroll, outsourced Human Resources
- Using a UK based marketing company
- Your company pension scheme is based in the UK
- Are you using a UK based company to analyse your website visitor information
- Using a UK based cloud provider
Where there is a no-deal Brexit, extra measures will be required to legally transfer personal data, as the UK and N. Ireland will become ‘third countries’ for the purpose of EU and Irish data protection law. There are several methods available to facilitate ‘third country’ transfers. The system considered to be most relevant for Irish businesses by the Irish Data Commission are called Special Contractual Clauses (SCCs).
SCCs consist of standard or template set of contractual T&Cs that the Irish based controller and the UK based recipient/processor sign up to. The parties to the contract give contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the UK/NI. (Note: The data subject is given certain specific rights under the SCCs).
As well as setting out the SCCs, the contract may also include other commercial clauses provided those other clauses do not affect the operation of the SCCs or reduce data subject’s rights.
Where the Irish based controller and UK based processor already have a contract in place between them, they may decide to incorporate the SCCs into that existing contract. At no stage can the data subject’s rights be reduced as a result of a contractual alteration generally.
The follow represents a brief summary of the contents of the SCC (based on a Commission document).
- The parties to the SCCs are required to insert certain basic information, identifying the name and contact details of the “data exporter” (Irish) and the “data importer” (UK).
- Clause 1 then defines certain key terms. You will see that this clause refers to Directive 95/46/EC rather than the GDPR. This template remains valid, unless and until the EU Commission replaces it.
- Details of the transfer must be inputted into Appendix 1 of the Contract. Clause 3 establishes certain rights for the data subject, even though he/she is not a party to the contract.
- Clause 4 sets out the data exporter’s obligations, i.e. the commitments to be given by the Irish-based controller.
- Clause 5 then sets out the data importer’s obligations, i.e. the commitments being given by the UK-based service provider.
- Clause 6 deals with issues of liability as between the data exporter and importer.
- Clause 7, the data importer acknowledges that if, in a dispute situation, the data subject exercises its rights under Clause 3, it will be for the data subject to decide whether to mediate the dispute or to bring a legal action in the courts of the member state in which the data exporter is based (i.e. Ireland in this case).
- In Clause 8, the data exporter and data importer commit to co-operating with the Data Protection Commission
- At Clause 9, the parties should insert “Ireland” as the member state whose laws will apply to the contract.
- Clause 10 notes that the parties may add additional clauses, but only if those clauses do not vary or modify the SCC clauses themselves.
- Clause 11 deals with certain issues relating to the position of sub-processors engaged by the data importer.
- Clause 12 sets out the parties’ obligations when the processing services being provided by the data importer come to an end.
At Appendix 1 the parties to the contract must set out details of the transfer itself. This section of the document is of critical importance and is organised under 6 different headings:
- “Data Exporter”
- “Data Importer”
- “Data Subjects”
- “Categories of Data”
- “Special categories of data”
- “Processing Operations”
In Appendix 2 the parties must describe the technical and organisational security measures implemented by the importer to protect data subjects’ personal data. Examples of relevant items for mention might include:
- Security elements of the IT systems deployed by the importer, e.g. the use of encryption;
- Details of the controls in place to limit (and regulate) access to the data;
- The use of logging mechanisms to verify whether and by whom the data has been accessed, used and/or disclosed
It is important to bear in mind that SCCs form only one element of the current obligations which must now be followed to be compliant in terms of the use of personal data in a commercial/organisational setting. The article above provides introduction information only.
If you are moving personal data between Ireland and UK/NI and require further information or advice, please contact Donnacha T. Anhold, at Carter Anhold & Co., Solicitors (Sligo and Dublin) at +353 71 9162211