Brexit and Data Protection – Standard Contractual Clauses
Thu Oct 17 2019
Are you, or your data processors, transferring personal data to the UK?
Brokers should be mindful of where their data is being transferred, particularly, if it is currently being transferred to the UK. If there is a No Deal Brexit, the UK will become a third country in relation to the EU and the transfer of personal data from the EU/EEA to the UK will be subject to the conditions governing third country data flows.
Examples of transfers of personal data:
- The Insurer with whom brokers are placing business are transferring the data to the UK (e.g. their storage facility is based in the UK)
- Outsourced HR/IT/Payroll functions to a UK based firm
- Storage of data in the UK on a server or on the cloud (which would include Back office suppliers/EDI quote engine providers)
- Use of marketing company based in the UK (or with storage facility in the UK) to send marketing communications to a customer database.
What this means in practice is that, in order to comply with GDPR rules, if an Irish business is transferring, or intending to transfer, personal data to the UK it will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing. The GDPR provides several solutions which allow the transfer of personal data from the EU/EEA to a third country. One such safeguard includes the use of “Standard Contractual Clauses” (“SCCs”).
Brokers should ensure that, operationally, transfers are conducted and managed in a way that ensures that personal data is at all times protected to the level expected by the GDPR and that the obligations assumed by the parties under the terms of their SCCs contract are in fact discharged in practice.
To assist we have provided some guidance below.
The broker will always be the Data Controller (exporter of the data). There are two types of SCCs:
- Data Controller (exporter) to Data Controller (importer). This would be used between the broker and the insurer that processes the data in the UK. Both parties are Data Controllers. The insurer imports the data into the UK. There are not many insurers that fall into this category. Insurers that transfer data to the UK should be advising you of this and providing you with the SCC.
- Data Controller (exporter) to Data Processor (importer). This would be used where the broker uses other data processors, such as HR/IT/Payroll functions based in the UK or processors based in Ireland with cloud storage facility in the UK (Applied and OpenGI). The onus is on the broker (being the Data Controller) to provide these data processors with the SCC. See the SCC Template DC to DP
The following very informative link (from the Data Protection Commission) provides an overview of the contents of SCCs – what each clause means, and what the appendices cover.