Boxing Day saw yet another warning from Brussels to find a new basis for transferring personal data from the EEA to the UK, as it is considered unlikely that there will be an EU 'adequacy finding' by this time next year. UK firms processing personal data in the EEA will also need to appoint a local EEA representative (and may have other problems). The options include adding 'standard model clauses' to contracts under which that data currently flows to the UK. But there might be a lot of those contracts and the process of putting them in place might just make everyone nervous. So why transfer the data at all? Let us know if we can help.
Many UK firms hold personal data relating to EEA individuals. This might be data relating to EEA-based staff, customers or suppliers, for example; or personal data that is included in data sets processed in the course of 'big data' analysis for the purpose of developing products or targeting advertising.
In addition, the UK's Information Commissioner is reminding UK firms that don't have any EEA offices, branches or other establishments to consider whether they are processing personal data of individuals in the EEA that relates to either:
- offering goods or services to individuals in the EEA; or
- monitoring the behaviour of individuals in the EEA.
The ICO says that
If you are carrying out such processing, and intend to continue after the end of the transition period, you will need to consider whether you must appoint a European representative.
You will need to consider in which EU or EEA state your representative will be based and put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to supervisory authorities, for example by publishing it on your website.
Rather than transfer that data, the UK firms could - as many already have - simply incorporate an entity within the EEA to hold the data and determine the means and purposes of processing. That EEA entity could do the processing itself within the EEA or outsource that to an EEA-based processor with the right experience and expertise. Only the aggregated results would need to go to the UK.
It can be a simple matter to transfer existing English law contracts to a new entity, particularly as Irish law is so similar.
Wojciech Wiewiorowski, the EU’s new data protection supervisor, said the UK was “13th in the row” of countries that are negotiating data deals with Brussels. Allowing the UK to skip the queue “would be a little bit unfair towards those who have already prepared themselves for this process,” he added.