Brexit and Data Protection – Standard Contractual Clauses

Are you, or your data processors, transferring personal data to the UK? 

Brokers should be mindful of where their data is being transferred, particularly, if it is currently being transferred to the UK.  If there is a No Deal Brexit, the UK will become a third country in relation to the EU and the transfer of personal data from the EU/EEA to the UK will be subject to the conditions governing third country data flows.

Examples of transfers of personal data:

• The Insurer with whom brokers are placing business are transferring the data to the UK (e.g. their storage facility is based in the UK)
• Outsourced HR/IT/Payroll functions to a UK based firm
• Storage of data in the UK on a server or on the cloud (which would include Back office suppliers/EDI quote engine providers)
• Use of marketing company based in the UK (or with storage facility in the UK) to send marketing communications to a customer database.

What this means in practice is that, in order to comply with GDPR rules, if an Irish business is transferring, or intending to transfer, personal data to the UK it will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.   The GDPR provides several solutions which allow the transfer of personal data from the EU/EEA to a third country. One such safeguard includes the use of “Standard Contractual Clauses” (“SCCs”).

Brokers should ensure, operationally, transfers are conducted and managed in a way that ensures personal data is at all times protected to the level expected by the GDPR and that the obligations assumed by the parties under the terms of their SCCs contract are in fact discharged in practice.

The Broker will always be the Data Controller (exporter of the data).  There are two types of SCCs;

1. Data Controller (exporter) to Data Controller (importer). This would be used between the Broker and the insurer that processes the data in the UK.  Both parties are Data Controllers.  The insurer imports the data and transfers it to the UK (for storage or other processing).  If insurers, who transfer data to the UK, have not provided you with the SCC as yet, you should provide it to them.  See sample SCC here.
2. Data Controller (exporter) to Data Processor (importer). This would be used where the Broker uses other data processors, such as HR/IT/Payroll functions based in the UK or processors based in Ireland with cloud storage facility in the UK (Applied and OpenGI).  The onus is on the Broker (being the Data Controller) to provide these data processors with the SCC.  See sample SCC here.

In October the European Court of Justice issued a judgement which stated in effect that it will be illegal to transfer data to the UK as it allows unrestrained access by its intelligence services without any independent or judicial oversight.  Brokers should note, this issue as advised to members in our communication of 22 October remains unchanged.

Regardless, at a minimum, Brokers as data controllers, have an obligation to ensure that GDPR appropriate safeguards are in place, such as the SCCs.   Although this does not resolve the UK oversight issue, it does provide some level of protection.