MRS Brexit Survival Guide: EU-UK Data transfers November

Similar documents
THE IRON MOUNTAIN GDPR JARGON BUSTER

Guidance on International Transfers / Eighth Principle

TEREX CORPORATION DATA PROTECTION POLICY

Adopted on 26 November 2014

Eligibility? Activities covered? Clients covered? Application or notification required? N/A N/A N/A N/A N/A N/A N/A

Approach to Employment Injury (EI) compensation benefits in the EU and OECD

Understanding Privacy Regulatory Restrictions on Trans Border Data Flow

How to complete a payment application form (NI)

You may find it useful to view the UK social and labour law summary overview (PDF, 99kb, 24 pages).

EU-28 RECOVERED PAPER STATISTICS. Mr. Giampiero MAGNAGHI On behalf of EuRIC

Spain France. England Netherlands. Wales Ukraine. Republic of Ireland Czech Republic. Romania Albania. Serbia Israel. FYR Macedonia Latvia

FSMA_2017_05-01 of 24/02/2017

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

Country-by-Country Reporting:

Relevant reporting requirements in each EEA States will also have to be checked.

GDPR AND THE LEGAL IMPLICATIONS

International Hints and Tips

Report Penalties and measures imposed under the UCITS Directive in 2016 and 2017

EU Data Protection Directive 95/46/EC FREQUENTLY ASKED

What Brexit would mean for UK and global share plans

EuSEF and EuVECA management and marketing notifications

Live Long and Prosper? Demographic Change and Europe s Pensions Crisis. Dr. Jochen Pimpertz Brussels, 10 November 2015

The European Union Savings Tax Directive. An historic guide

Summary of key findings

Second SHA2011-based pilot data collection 2014

Corrigendum. OECD Pensions Outlook 2012 DOI: ISBN (print) ISBN (PDF) OECD 2012

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

The Global Tax Reset 2017 Audit Committee Symposium

PARTNERSHIP DETAILS FORM

DATA PRIVACY & FAIR PROCESSING NOTICE

FACT SHEET. Automatic exchange of information (AEOI)

in this web service Cambridge University Press

Rev. Proc Implementation of Nonresident Alien Deposit Interest Regulations

FOREIGN INSURERS AND REINSURERS DOING BUSINESS IN THE UK AND EUROPE: SETTING THE 1 RECO

FCCC/SBI/2010/10/Add.1

European Advertising Business Climate Index Q4 2016/Q #AdIndex2017

EU BUDGET AND NATIONAL BUDGETS

FACT SHEET. Automatic exchange of information (AEOI)

Definition of Public Interest Entities (PIEs) in Europe

Iceland Country Profile

Vinodh & Muthu. Tax Alert. Insight. Chartered Accountants. Country by Country Reporting & Master File

2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS

Defining Issues. EU Audit Reforms May Affect U.S. Companies. August 2015, No Key Facts for U.S. Companies

COMPANY DETAILS FORM

TAXATION (IMPLEMENTATION) (CONVENTION ON MUTUAL ADMINISTRATIVE ASSISTANCE IN TAX MATTERS) (AMENDMENT OF REGULATIONS No. 3) (JERSEY) ORDER 2017

Purpose of this form. If you are an Appointed Representative ( AR ) then this form must be completed by the sponsoring firm on your behalf.

Policy Summary of Income Protection Cover

Reporting practices for domestic and total debt securities

EMPLOYMENT RATE IN EU-COUNTRIES 2000 Employed/Working age population (15-64 years)

Open Day 2017 Clearstream execution-to-custody integration Valentin Nehls / Jan Willems. 5 October 2017

DG TAXUD. STAT/11/100 1 July 2011

Recommendation of the Council on Tax Avoidance and Evasion

Economic and Social Council

What You Should Know CPEL Payment Services Directive 2

Order Execution Policy - Corporate & Investment Bank Division - EEA

AXA GROUP BINDING CORPORATE RULES

Cross-border mergers and divisions

EIOPA Statistics - Accompanying note

Guide to Treatment of Withholding Tax Rates. January 2018

Double Tax Treaties. Necessity of Declaration on Tax Beneficial Ownership In case of capital gains tax. DTA Country Withholding Tax Rates (%)

EIOPA Statistics - Accompanying note

Statistics: Fair taxation of the digital economy

Pan-European opinion poll on occupational safety and health

TRUST AND SETTLEMENT DETAILS FORM

3 Labour Costs. Cost of Employing Labour Across Advanced EU Economies (EU15) Indicator 3.1a

IRS Reporting Rules. Reference Guide. serving the people who serve the world

Global Tax Reset Transfer Pricing Documentation Summary. February 2018

LENDING FACILITIES Hire Purchase (HP) 1% % on a case by case basis (fee set by AgriFinance Ltd)

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

EMPLOYMENT RATE Employed/Working age population (15-64 years)

EUROPA - Press Releases - Taxation trends in the European Union EU27 tax...of GDP in 2008 Steady decline in top corporate income tax rate since 2000

CANADA EUROPEAN UNION

Cash payment of occupational benefit savings capital on definitive departure from Switzerland with effect from 1 June 2007

Defining Issues. EU Audit Reforms: The Countdown Begins. April 2016, No Key Facts for U.S. Companies

FATCA Update May 2014

Lithuania Country Profile

EIOPA Statistics - Accompanying note

Fee Information Document

Electricity & Gas Prices in Ireland. Annex Business Electricity Prices per kwh 2 nd Semester (July December) 2016

Double tax considerations on certain personal retirement scheme benefits

COMPUTERSHARE SERVICES NOMINEES LIMITED MANDATORY NOMINEE DEED IN RESPECT OF UNILEVER PLC AND UNILEVER INTERNATIONAL HOLDINGS N.V.

Please disclose your nationality details, by completing the country of each (up to three) in the boxes below.

BTSF FOOD HYGIENE AND FLEXIBILITY. Notification To NCPs

International Services tariff

COMPANY DETAILS FORM

STOXX EMERGING MARKETS INDICES. UNDERSTANDA RULES-BA EMERGING MARK TRANSPARENT SIMPLE

Starting a branch ESTABLISHMENT GUIDE

Dividends from the EU to the US: The S-Corp and its Q-Sub. Peter Kirpensteijn 23 September 2016

Aim Higher EUROSTARS. Funding excellence in innovation. Eligibility guidelines for applications. December 2015 Version 2.0

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

2017 Figures summary 1

MedTech Europe Code of Ethical Business Practice. Disclosure Guidelines

Entitlement to NHS Hospital Treatment for Non-Resident UK Citizens

Information Leaflet No. 5

Lowest implicit tax rates on labour in Malta, on consumption in Spain and on capital in Lithuania

a closer look GLOBAL TAX WEEKLY ISSUE 249 AUGUST 17, 2017

Composition of capital IT044 IT044 POWSZECHNAIT044 UNIONE DI BANCHE ITALIANE SCPA (UBI BANCA)

THE IMPACT OF THE PUBLIC DEBT STRUCTURE IN THE EUROPEAN UNION MEMBER COUNTRIES ON THE POSSIBILITY OF DEBT OVERHANG

CRS Form for Tax Residency Self Certification For Individuals, Joint Accounts (CRS I)

Macroeconomic scenarios for skill demand and supply projections, including dealing with the recession

Transcription:

2018 MRS. All rights reserved. November 2018 No part of this publication may be reproduced or copied in any form or by any means, or translated, without the prior permission in writing of MRS. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 2

Overview The UK will formally leave the European Union on 29 March 2019. At the time of the publication of this note, the terms of the future relationship had not yet been agreed. Given this considerable uncertainty, we are publishing this note to provide guidance to MRS members and Company Partners to help them comply with the requirements of the General Data Protection Regulation (GDPR) on personal data transfers. Our aim is to present the tools and options that are available for organising your internal operations, allowing for the smoothest possible transition in personal data transfers. Why are personal data transfers a topic of discussion? By adopting the GDPR, the European Union provided its Member States 1 and the members of the EEA area 2 with a comprehensive framework for data protection. Its major aim is to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union. In order to guarantee legal certainty and transparency for businesses, natural persons and authorities, the GDPR is a regulation that automatically applies to all member states although it allows them limited opportunities to make provisions for how it applies in their country. This means that: The GDPR is directly applicable to the UK until Brexit day. Unless a ratified withdrawal agreement establishes otherwise, from March 30, 2019 all EU legislation will cease to apply. The UK has adopted the Data Protection Act 2018,(DPA 2018) in addition to restating the provisions of the GDPR, the DPA 2018 also sets out tailored national exemptions (in areas allowable under the GDPR) and provides a legal framework for data protection in criminal justice and law enforcement. It also replaces the Data Protection Act 1998 (DPA 1998). In the case of no Brexit deal, the DPA 2018 will be the applicable legislation and the UK will be referred to as a third country. Until then, the GDPR and the DPA 2018 must be read side by side. 1 The EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. 2 The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU s single market. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 3

What is a personal data transfer and why does it matter so much? Further information on data protection can be found in the MRS Guidance Note on Data Protection and Research The GDPR defines personal data as information relating to an identified or identifiable natural person; who can be identified directly or indirectly by that data on its own or together with other data. This includes identifiers such as a name, an identification number, location data, device identifiers, cookie IDs, IP addresses and relates to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The GDPR also requires a higher level of protection when special categories of personal data are processed: race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where this is used for identification purposes);health data; sex life; or sexual orientation. International personal data transfers, to countries outside the EEA, is considered a risk for data subjects as they may not receive the same guarantees as provided by the GDPR. This is why, the GDPR restricts the transfer of personal data to countries where the GDPR is not applicable unless a series of safeguards are in place. If the UK leaves the EU on 29 March 2019 without a deal any flow of personal data from the EEA to the UK AND any onward transfer from the UK to another third country will be allowed only if a series of safeguards are in place. As mentioned, by analysing the following options we aim to help your organisation making an informed decision about the available tools and hence allow the smoothest transition. Our assumption for this guidance is a no deal scenario. In preparation for it, practitioners both controllers and processors, should as a matter of priority: Identify key data transfers particularly with organisations that are based in the EU Assess data flows focusing on transfers of data from the EU to the UK Implement a robust data transfer mechanism What about UK-EEA transfers? The UK Government has stated that it will permit transfers of personal data from the UK to the EU. In light of this no additional steps should be necessary for data transfers from the UK to the EU apart from standard GDPR compliance measures, including data processing agreements. However, both controllers and processors should be aware that in the future, individual EU Member States may decide to implement national laws that require additional steps for UK businesses. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 4

Ensuring the Free Flow of Data: what options? First things first EEA controllers and processors will be able to transfer personal data which is undergoing processing or is intended for processing to the UK, only if they can successfully apply a two-step process: Determine and use an appropriate legal basis for the data processing (together with full GDPR compliance); Use applicable GDPR provisions on lawful data transfers The case for an Adequacy Decision An adequacy decision is a decision taken by the European Commission establishing that a third country provides a comparable level of protection of personal data to that in the European Union, through its domestic law or its international commitments. As a result, personal data can flow safely from the EEA to that third country, without being subject to any further safeguards or authorisations. Until now the European Commission has granted adequacy only to Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. Partial Adequacy Decisions [EU Commission wording] limited in scope are: US Privacy Shield: a voluntary scheme that protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers. Canada sector specific framework: applies only to private entities falling under the scope of the Canadian Personal Information Protection and Electronic Documents Act. Further information on Adequacy Decisions can be found on the EU Commission website here Adequacy decision or partial adequacy decisions are the best case scenario, but this requires a lengthy political process that can be initiated only once the UK officially becomes a third country on March 29, 2019 MRS Brexit Survival Guide: EU-UK Data transfers November 2018 5

The case for Binding Corporate Rules Multinational groups and joint ventures can use Binding Corporate Rules (BCR s), a set of legally binding policies that regulate international personal data transfers from organisations established in the EEA to organisations (within the same group) that are established in the UK. BCRs work as a code of conduct, ensuring that all data transfers within a corporate group occur under adequate safeguards. They cover a set of elements such as privacy principles (transparency, data quality, and security); tools of effectiveness (such as audit, training, or complaint handling systems) and an element proving that the rules are binding. After development BCRs must be approved by the relevant data protection authority in the location of the European headquarters of any organisation using BCRs. First step The company designates the lead authority.this is the authority which handles the EU cooperation procedure with the other European data protection authorities (DPAs). The European Commission has developed a toolkit for organizations seeking to develop BCRs, which the ICO has published here Second step Third step Fourth step The company drafts the binding corporate rules. These rules have to meet the requirements set up in the working papers adopted by the article 29 working party. This draft is submitted to the lead authority which reviews it and provides comments to the company to ensure that the document matches the requirements set out in paper WP 153. The lead authority starts the EU cooperation procedure by circulating the binding corporate rules to the relevant DPA.The authority will be located where group members transfer personal data to entities located in countries that do not ensure an adequate level of protection. The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the BCGs. A mutual recognition procedure has been agreed. Under this procedure, once the lead authority considers that BCGs meet the requirements, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorisation. Fifth step Once the binding corporate rules have been considered as final by all DPAs, the company shall request authorisation of transfers on the basis of the adopted rules by each national DPA. The decision as to which DPA should act as the lead authority is based upon relevant criteria such as: the location of the group s European headquarters the location of the company which is best placed to deal with the application, and to enforce the binding corporate rules in the group or the EU country from which most transfers outside the EEA will take place. BCRs are very useful for multi-national and group ventures intragroup data transfer, but the process for obtaining them can take a long time and require significant investment by organisations. Additionally it is important to note that, they do not provide a basis for transfers made outside the group. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 6

The case for Standard Data Protection Clauses SDPC Standard contractual clauses provide an important tool: The European Commission has published those that offer sufficient safeguards on data protection for personal data to be transferred from EEA to third countries [for the purposes of this note, from EEA to the UK]. The clauses contain contractual obligations on the EEA data exporter and the UK data importer, and rights for the individuals whose personal data is transferred. Importantly, individuals can directly enforce those rights. Since 2010, EEA based controllers wishing to rely on Standard Contractual Clauses to legitimise international data transfers to processors outside the EEA, have had to use the updated clauses for new processing operations. There are three sets of standard contractual clauses that will remain valid until replaced or amended by the European Commission 2001 EEA controller to third country controller Available here: https://bit.ly/2tyamfa 2004 alternative EEA controller to third country controller Available here https://bit.ly/2ttaura EEA controller to third country processor Available here https://bit.ly/2pawdgu New Contracts It is very important that you keep on checking the websites of the UK ICO at and of the European Commission for further updated information. Use the clauses in their entirety and without amendment New parties in the contract? You can add parties (i.e. additional data importers or exporters, both controller and processors) provided they are also bound by the standard contractual clauses Specificities of the business You can include additional clauses on business related issues, provided that they do not contradict the standard contractual clauses. Remember! If you are making a restricted transfer from a controller to a processor, you also need to comply with the GDPR requirements about using processors. Taking into account all the circumstances, such clauses appear to be the most effective way to guarantee a frictionless Brexit transition, until the adoption of more favourable options or frameworks. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 7

The case for a GDPR Code of Conduct Another contractual option is to adhere to a sectoral GDPR Code of Conduct, which has been approved by a Data Protection Authority and by the European Commission. This is a new option and as such will require significant time to be fully operational. MRS is already developing a GDPR Research Code, together with our European counterparts and European national DPAs. As one of the first sectors actively engaged in the process, we hope to be operational by summer 2019 but this will be dependent on when the Code review and approval process is operational. The case for Derogations As previously stated, the adoption of standard contractual clauses appears to be the most effective way to guarantee continuous EEA-UK data transfer for the time being. The GDPR also provides a set of derogations for specific situations, in the absence of an adequacy decision or appropriate safeguards. But the protection of the fundamental right to respect for private life at EU level requires that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary. Derogations are: Individual s explicit consent to restricted transfer: a valid consent is specific, informed (please see GDPR In Brief No.5 on Informed Consent) including all information related to the identity of the receiver, the reasons for the transfer, the kind of data transferred and the risks involved in a transfer to a country which is not deemed to provide adequate data protection. For every time the transfer occurs. The transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of a contract concluded in the interest of the data subject. In all these cases the transfer might take place only if it is occasional, necessary, not repetitive and concerns only a limited number of data subjects. A data transfer that occurs regularly within a stable relationship between the data exporter and a specific data importer is deemed as systematic and repetitive. As it is the case of a data importer that is granted access to a database on a general basis. Derogations have to be interpreted restrictively. They have to be documented in the processing activities. They have to be communicated to the ICO. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 8

International Data Transfer Decision Tree Can the EEA Controller anonymise the dataset? Yes No Restricted Transfer Allowed Has the UK received an Adequacy decision or similar framework? Yes Not yet Restricted Transfer Allowed Have the EEA and UK controllers and processors adopted Standard Protection Clauses? Yes No Restricted Transfer Allowed Restricted transfer is not allowed, unless the EEA exporter can - in very limited cases - refer to a derogation MRS Brexit Survival Guide: EU-UK Data transfers November 2018 9

Research Scenarios In any international research project, there are several occasions in which a transfer can occur. Key Terms Simple transfer: a transfer of data inside the protection of the GDPR, within the EEA Restricted transfer: A transfer of: data that are regulated by the GDPR, in the countries and circumstances in which it applies. A transfer to: a receiver that is located outside the EEA a receiver that is not your direct employee a receiver that is not a branch of your company Transit Personal data that is just electronically routed through a non-eea country and the transfer is from one EEA country to another EEA country. Scenario 1. An Italian digital brand, the controller, has commissioned an UK research agency, the processor, to carry out research with a branded on-line community established for this purpose. Client and agency included Standard Data Protection Clauses (SDPCs) in the contract. The UK agency is considering sub-contracting with an US based agency to host the online community. Restricted transfer from Italy to the UK allowed because of SDPCs Restricted onward transfer from UK to US, allowed if the US subcontractor is Privacy Shield certified Scenario 2. A Dutch client, the controller, commissions a research project to a French multinational research agency, the processor, providing sample of its customer database. The Paris branch appoints the research to the Bristol branch. The Bristol branch subcontracts a London translator and a Tel Aviv analyst. Restricted transfer from Paris to Bristol allowed if Binding Corporate Rules have been adopted by the group. Restricted onward transfer from Bristol to London allowed only if SDPCs are adopted. Restricted onward transfer from Bristol to Tel Aviv allowed because of Israeli Adequacy decision. Scenario 3. A Belgian Pharma company, the controller, commissions a research to an UK agency, the processor, on a sample collection that will be provided directly by a Spanish fieldwork recruiter. The restricted transfer between the Spanish contractor and the UK agency will be allowed only if SDPCs are adopted. The restricted transfer from the UK agency to the Austrian client allowed because data go back to the EU. MRS Brexit Survival Guide: EU-UK Data transfers November 2018 10

Data Transfers and where to find them 1 st transfer EEA Client/controller and UK Agency/processor Research project outside of GDPR scope Research Project within the scope of the GDPR Simple Transfer Restricted Transfer Branches within the same group and data centers Transit - when personal data are just electronically routed through a non EEA Country, but the transfer is actually from EEA Country to EEA Country Onward Transfer Privacy Schield Signatory Simple Transfer UK based Agency/processor USA based Panel Provider Italian Fieldwork Agencies Irish viewing facilities Non Privacy Schield Signatory Simple Transfer Simple Transfer Restricted Transfer Russian transcription/translation services Restricted transfer Canadian freelancer Simple Transfer MRS Brexit Survival Guide: EU-UK Data transfers November 2018 11

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback