Transferring data from the UK after Brexit, how to do it: New clauses for the English guarantor arrives

The UK Data Protection Authority (ICO) has published new versions of the contractual clauses that will regulate International data transfer agreements outside the UK. Indeed, after Brexit, it was necessary for the UK to adopt its own standard contractual clauses, which could represent, in terms of convenience and safety, the country cooperation strategy adopted in Europe.

So far, it is understood that relations with the European Union are governed by my own adequacy, data coming out of English territory is governed by rules that largely reflect what is defined in the European Union by the GDPR (that is the “GDP of the United Kingdom”) . The UK has also been awarded emitting capacityin a completely independent manner, makes its own adequacy decisions regarding the transfer of personal data to third countries and international organizations other than those previously considered by the European Union.

Data protection, UK promoted by EU Commission: green light for data transmission

Why does the UK need a new CSS after Brexit

In the introduction, it seems appropriate to give a brief examination of the intentions of the English authorities, with regard to the need to implement tools for the legalization of transfers of personal data abroad. Jo Jones, Deputy Director of International Data Transfers at the UK Department of Culture, Media and Sport, said in an interview with IAPP: “As part of our ambitious National Data for Growth strategy, the UK will work globally to remove unnecessary barriers to cross-border data flows. […]. This is very important because data transfers have revolutionized our way of life and our global economies. Data transfers support exciting opportunities for innovation, collaboration, and trade, particularly in scientific research, financial services, and artificial intelligence. Thus, an unlimited flow of data will be an integral part of global recovery, growth and prosperity in the future. “

Jones also added: “The UK’s adequacy the simplest way For UK organizations to transfer personal data freely and securely. Efficiency can increase trust by providing businesses and consumers with greater confidence in the laws of the jurisdiction to which the data is being transferred. Adequacy also removes the burden and cost of compliance for British institutions to use alternative transfer mechanisms.” In particular, in the wake of the well-known Schrems II ruling, which repealed the so-called Privacy Shield, authorities warned of “how difficult it is for organizations to conduct case-by-case assessments in countries where they they send data to it”, and have, since then, sought to provide useful tools that allow the safe continuation of data transfer activities.

What does the ICO say?

This is the context in which the new Standard Contractual Clauses published by the ICO following the consultation in 2021, which constitute a specific and complementary addendum to Commission Resolution 2021/914 relating to the Standard Contractual Clauses of the ICO, appear. Transfer of personal data to third countries. Thus, from March 21, 2022, data exporters located in the United Kingdom will be able to use the International Data Transfer Agreement (or IDTA) as a useful tool to properly transmit data to third countries, in compliance with the provisions of Article . 46 of the UK’s GDP.

At the same time, the standard contractual clauses developed by the European Commission can also be used as a scheme, through the Annex, which amends and integrates some clauses of the European CCS, also ensuring in this case full compliance with the transfer of personal data to the principles contained in the legislation and in the Schrems judgment II.

Content of the International Data Transfer Agreement

It can be said that also due to overlapping regulations on the processing of personal data,International Data Transfer Agreement It refers, in its structure, to the aforementioned Resolution 2021/914 of the European Commission.

The initial part of the agreement, which also forms the adjustable part of it, is organized according to tables that help summarize and summarize the main aspects of the processing, namely:

• The parties participating in the Agreement and the roles it includes, indicating their contact details;
• details of the transfer, i.e. applicable laws, the status of the importer and exporter, the existence of contracts and agreements relating to the transfer, and the period of time during which the data will be transferred;
• the categories of data included in the transfer, and the purposes of processing associated with the transfer itself;
• Security requirements required by the parties for the transfer of personal data;
• Additional technical, organizational and non-contractual security measures applicable to the transmission of data;
• The commercial terms of the agreement between the importer and the exporter.

The IDTA also contains all mandatory provisions that govern the correct transfer of personal data, facilitate their understanding, and also define the laws and principles that must be applied to the processing.

The purpose of the agreement, as stated in the same text, is to ensure the transmission of data Subject to adequate guaranteesDuring the period in which the importer is working on the same preservation, processing or any other types of processing.

What should the source do?

For this reason, it is required in the agreement that the parties provide not only for compliance with minimum safeguards, but also for those additional measures that provide an adequate level of security for the risk of a personal data breach and for impact. On topics affected by this personal data breach, including consideration of any sensitive data within the data transferred.

In more detail, The source must:

• carrying out checks on the ability of the importer to comply with the agreement;
• Cooperating with the issuer to allow it to fulfill its obligations, especially towards the concerned parties.
• ensuring and demonstrating that the entered into the IDTA (including any security requirements and additional protection clauses) provides appropriate warranties; And the
• If the importer reasonably requests, provide him with a copy of the Transfer Risk Assessment (TRA).

Duties of the importer

While that, to the importer Required for:

• Before receiving any Transferred Data, provide the Exporter with all information regarding local laws and practices, protections and risks applicable to the Transferred Data when processed by the Importer, including any information that could reasonably be required for the Exporter to transmit any ARF (“Importer Information”);
• Work with the issuer to ensure compliance with obligations under UK data protection laws;
• fulfill the obligations under the data transfer agreement;
• Provide the source with all the information necessary to carry out the audit;
• Check whether there are any local laws that prevent compliance with its obligations, and take reasonable steps to verify this, on a regular basis. Regulatory reviews must have at least the same frequency as agreement reviews;
• inform the exporter as soon as it becomes aware of any changes to the importer’s information and/or any local law that may prevent or limit the importer’s compliance with the obligations under the agreement;
• Cooperating with the issuer and providing the necessary assistance in processing and informing it in the event of breaches of personal data

Convention revisions

Within the clauses, the parties to the agreement are required to conduct a periodic review, as foreseen in the preceding paragraph, to subject the IDTA to periodic review, as well as with respect to security requirements. It is necessary, in fact, that the agreement Always compatible with treatment and with the organizational context in which the processing takes place. In the event that the information contained in the Agreement is no longer consistent, each party is obligated to inform the other in writing, in order to update the Agreement. If, at any time, the Agreement no longer provides sufficient guarantees of processing, the Parties shall, without undue delay:

• Suspension of the transmission and processing of transmitted data, for the period in which it is agreed to change the content of the Agreement. Furthermore, “the importer may keep a copy of the data transferred during this break, in which case the importer shall make any necessary processing to maintain, as far as possible, the measures it was taking to obtain appropriate safeguards,” i.e., to comply with the minimum guarantees stipulated it in the previous agreement, without placing any further processing;
• Agreeing to amend the agreement, in the remaining parts of the contractual freedom of the exporter and importer.

In the event that it is not possible to agree on an amendment allowing compliance with the rules on data processing, maintaining appropriate safeguards on the transfer, the exporter must terminate the agreement by written notice to the importer.

Transfer of data to third parties

The obligations under the agreement It also applies in the event that the importer, in turn, transfers personal data to third parties. In fact, said transfer is permitted only if it does not violate the content of the Agreement, and if:

• The third party has entered into a written contract with the importer containing the same level of protection for data subjects as provided in the IDTA (based on the recipient’s role as a controller or processor) and the importer has performed a one-time risk assessment to ensure that appropriate safeguards are applied to the processing; or
• the third is added to the agreement as a party; or
• If the importer is located in the UK, the data transfer is compatible on Section 46 of the UK General Data Protection Regulation; or
• If the importer is located in the UK, the data transfer is one of the exceptions set out in Article 49 of the UK GDPR.