30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesOUT-LAW NEWS 3 min. read
30 May 2022, 11:46 am
New guidance issued by the European Commission will be welcomed by UK-based suppliers involved in complex post-Brexit data transfer arrangements, but the guidance highlights a data protection “compliance gap” in relation to other data transfers, according to experts.
Kathryn Wynn and Rosie Nance of Pinsent Masons were commenting after the Commission published a new ‘Q&A’ paper regarding standard contractual clauses (SCCs) (24-page / 435KB PDF).
SCCs are one of the legal tools the Commission has developed to help businesses meet their obligations under the EU General Data Protection Regulation (GDPR) when transferring personal data outside of the European Economic Area (EEA). SCCs can be inserted into commercial contracts to govern how those importing personal data from the EU handle and safeguard that data, though the Commission has confirmed businesses cannot modify those clauses without approval of the modified version from a national data protection authority.
Last year the Commission published revised SCCs to replace those it had previously adopted in 2004 and 2010. The updated SCCs are designed to reflect the changes to data protection law implemented by the GDPR in 2018 and concerns raised by the Court of Justice of the EU in the so-called ‘Schrems II’ judgment.
Businesses will no longer be able to rely on the 2004 or 2010 SCCs to transfer data to third countries from 27 December this year. The Commission took the opportunity to reiterate that deadline date for remediation of legacy contracts in its Q&A paper.
Kathryn Wynn said there was welcome clarification in the guidance on a point of uncertainty that has arisen in relation to data transfers involving UK-based suppliers since Brexit.
“Data transfer arrangements have become more complex since Brexit. Some UK group companies have set up a substantial presence in EU countries, such as Ireland. We are familiar with scenarios where the data flows from an Irish controller to a UK group company providing shared services to a UK supplier and on again to a sub-contractor based outside the UK or EEA. Businesses involved in these arrangements have been keen to know which parties should enter into the SCCs, and which data protection regime – the EU GDPR or UK GDPR – applies,” she said.
“Previously, under the 2010 SCCs, only a controller could be the data exporter because it was only the controller that had data export obligations under the pre-GDPR legislation. In our scenario, this would have meant the Irish controller would be responsible for entering into the SCCs with the non-UK or EEA sub-contractor. However, because the 2021 version of the SCCs has a modernised, modular approach, the Commission has now confirmed that the processor is considered in our scenario to be the data exporter and therefore the party who enters into the SCCs with the non-UK or EEA sub-contractor,” Wynn said.
“The example the Commission gave involved a German controller, Polish processor and Indonesian sub-contractor. The initial transfer in that example is intra-EU, but the position is analogous to our scenario where the initial transfer is from Ireland to the UK because that transfer is a permitted transfer for which SCCs are not needed due to the UK’s ‘adequacy’ status. This clarification means that the data export requiring the ‘appropriate safeguards’ provided by the SCCs is the data export from the UK, not from the EU,” she said.
“This will be welcomed by businesses because it impacts on their contract remediation plans – while the 27 December 2022 deadline is fast-approaching, it applies to EU GDPR contracts; a later 21 March 2024 deadline applies for remediating UK GDPR contracts,” Wynn said. “It is worth noting that, in our scenario, the Irish entity, as the controller, will still need to ensure, from an accountability perspective, that its appointment of the UK processor and the subsequent processing by the UK processor and its sub-processors complies with the requirements of the EU GDPR.”
In its Q&A paper, however, the Commission confirmed that organisations cannot rely on the 2021 set of SCCs to comply with the GDPR when transferring personal data to controllers or processors in non-EEA countries that are directly subject to the GDPR. It plans to issue a new set of SCCs that businesses can use in this scenario. However, Nance said the Commission’s comments create a problem for businesses over what to do until those new SCCs are available.
“The Commission’s confirmation that the 2021 SCCs cannot be used for transfers to controllers or processors in third countries that are directly subject to the GDPR leaves a compliance gap in the meantime, as the European Data Protection Board (EDPB) confirmed earlier this year that the international transfer provisions in the GDPR would apply in that scenario,” Nance said.
“This also has the potential to make intra-group transfers pretty complicated as some parties may now consider that they are expected to carry out a detailed assessment of whether their group companies are subject to the GDPR and choose their SCCs accordingly,” she said.
Wynn said that the compliance gap has been plugged in the UK by the ICO in its international data transfer agreement (IDTA), published earlier this year. The IDTA makes clear that organisations caught by the UK GDPR may be a “data importer” under the IDTA. In this situation, the sections of the IDTA which contain UK GDPR obligations, such as those relating to data subject rights, are disapplied because the data importer is already obliged to comply with those obligations by virtue of it being subject to the UK GDPR.
Nance further flagged that the Commission had explicitly confirmed that where the SCCs are used for international transfers, a transfer impact assessment that follows recommendations made by the EDPB should be carried out.
Contact an adviser
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
Businesses in the UK should review and, if necessary, update how they handle employees’ concerns about corporate compliance to coincide with the implementation of a new whistleblower reward scheme by HM Revenue and Customs (HMRC), experts in investigating economic crime have said.
OUT-LAW NEWS
Microsoft’s software licensing practices are to be examined more closely by the UK’s lead competition authority.
OUT-LAW NEWS
Almost a third of online retailers caught in a Europe-wide crackdown referenced incorrect discounts during their sales, new research has revealed.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
