Our Brexit statement
In the event that the UK leaves the EEA without a deal, Esendex have taken the necessary steps to ensure that our international customers can continue to send and receive data across Europe, including Ireland and the UK. The main change is to our Data Processing Agreement or DPA, to which we have added ‘Standard Contractual Clauses’ (SCCs). What follows is a detailed explanation of the circumstances under which SCCs may perform a critical function.
- The GDPR ensures that countries within the EEA can share personal data;
- Should the UK exit the EEA without a deal, this protection for data sharing may not continue;
- To prevent any disruption to data transfers between the UK and EEA members, the EC have provided contractual clauses (SCCs) which can be applied in the event of a no-deal exit;
- Our new DPA includes these SCCs to ensure that you can demonstrate compliance with the GDPR, and so continue to send and receive data across Europe, including the UK.
What is the current situation as regards the exchange of personal data?
Under the GDPR, countries within the EEA can share personal data between them without restriction, meaning that data can flow freely between different EU countries.
Under the current law, where personal data is transferred from the EEA to a country outside the EEA (a ‘third country’), an additional safeguard is required to be put in place, unless the country is subject to an ‘adequacy’ assessment from the European Commission or unless a derogation (exemption) applies.
Will the GDPR continue to apply in the UK when the UK leaves the EU?
When the UK leaves the EU, the UK will become a third country.
Although the GDPR will no longer directly apply in the UK, it is incorporated into UK law by the Data Protection Act 2018 and the Withdrawal Bill, and it is likely that the law will remain the same. The GDPR also has extra-territorial effect and will continue to apply to any company that offers goods and services for sale in the EU.
In other words there will be no change from today, as far as the management of personal data is concerned. GDPR processes and procedures will be adhered to, and these arrangements should continue to be satisfactory when the UK leaves the EU.
Do additional measures need to be put in place in respect of the transfer of personal data from the EEA to the UK?
In the event that there is a deal, it is likely that data can continue to flow freely between the UK and the EEA during the transition period.
If there is a ‘no deal’ Brexit, the UK will become a third country, and transfers of personal data from the EEA to the UK will be prohibited unless there is an adequate safeguard in place, an ‘adequacy assessment’ or unless a derogation (exemption) applies.
There are no derogations (exemptions) that would apply to Esendex’s processing of personal data on behalf of its clients. Although the UK government has indicated that it will be seeking an ‘adequacy assessment’ from the European Commission, it cannot start the process of obtaining one until Brexit has happened, and it can take some months to be deemed adequate.
A safeguard will therefore be required to cover the transfer of data from clients in the EEA to the UK.
An example of an appropriate safeguard is ‘Standard Contractual Clauses’ (SCCs) approved by the European Commission. A number of UK Companies are likely to put these SCCs in their contracts, to ensure that a safeguard is in place during the period where the UK is waiting for an adequacy decision. The function of SCCs is to ensure that the flow of personal data from the EEA to the UK is safeguarded, i.e. it will be managed under current GDPR guidelines, processes and procedures.
The UK government has already stated that all EU member states will be treated as being adequate for personal data flowing out of the UK into the EEA, so there is no reciprocal issue with UK data going to the EU.
What are the ‘Standard Contractual Clauses’ (SCCs)?
If someone in the EEA sends personal data to someone outside the EEA, they must comply with GDPR rules on international transfers of personal data. The SCCs are one of a number of ‘safeguards’ which can be used to demonstrate compliance, and the one most likely to be appropriate for small and medium-sized businesses.
The SCCs are standard sets of contractual terms and conditions to which the Data Controller (you) and the Data Processor (Esendex) of the personal data both sign up. They include contractual obligations which help to protect personal data when it leaves the EEA and confer the protection of the GDPR.
How are SCCs implemented?
In Esendex’s case, SCCs can be incorporated into Data Processing Agreements that exist between ourselves and our customers across Europe.
This is an evolving area and there may be further guidance from the UK government, ICO (Information Commissioner’s Office), European Commission and/or the EDPB (European Data Protection Board) over the coming weeks; if so, we will update you accordingly.