EM Law Data Protection

Personal Data Transfers: Transfers Outside The EEA

The UK company passes information about its employees to this HR service. These are international personal data transfers and, on the face of it, are prohibited by the GDPR. However, personal data transfers such as these happen every single day. So how does the GDPR cater for this and what should your business be doing to ensure that it stays data protection compliant?

Personal Data Transfers - What are Restricted Transfers?

A few months ago, the ICO published updated guidance in relation to international personal data transfers under the GDPR. In this guidance the ICO clarified that personal data transfers are restricted if:

  • The GDPR applies to your processing of the personal data that you are transferring. In general, the GDPR applies if you are processing personal data in the EEA, and may apply in certain circumstances if you are outside the EEA and processing personal data about individuals in the EEA;
  • You are sending personal data, or making it accessible, to a receiver to which the GDPR does not apply. Usually this is because they are located in a country outside the EEA; and
  • The receiver is a separate organisation or individual. So, for example, a transfer from a UK based organisation to its employee working outside the EEA would not be classified as a restricted transfer.

It should be noted that “transfer” does not mean the same as transit. If personal data is simply electronically routed through a non-EEA country but the transfer is actually from one EEA country to another, then it is not a restricted transfer. To give an example, a controller in France may transfer personal data to a controller in Ireland via a server in Australia. As there is no intention that the personal data will be accessed or manipulated while in Australia, the transfer is only to Ireland and is not classed as a restricted transfer.

Which countries are located within the EEA?

The EEA countries consist of the EU member states and the EFTA States. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. The EEA states are Iceland, Norway and Liechtenstein. The EEA joint committee recently made a decision that the GDPR does apply to these countries therefore transfers to these countries are not restricted.

How can you make restricted personal data transfers in accordance with the GDPR?

Before making personal data transfers that are restricted, you should consider whether the transfer is necessary. It may be that you can achieve your aims without actually sending data or you can make data anonymous so that it is not possible to identify individuals. If you decide that there is no other way, then clearly the transfer is necessary and the rights of individuals will have to be protected in another way.

Adequacy decision

The first thing you should consider is whether the relevant country or international organisation is covered by an adequacy decision. The European Commission has the power to determine, on the basis of article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. A transfer to an adequate country is the simplest way to transfer data outside the EEA; these transfers are permitted and legal under the GDPR. Currently, there are full findings of adequacy for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. There are also partial findings of adequacy about Canada and the USA. The adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act. The adequacy finding for the USA only covers personal data transfers covered by the EU-US Privacy Shield framework. Adequacy talks are currently ongoing with South Korea and the adoption procedure of the adequacy decision concerning Japan was launched a few months ago.

Appropriate safeguards

In the absence of an adequacy decision by the Commission, personal data transfers may only be made to a third country or an international organisation if the transfer is covered by appropriate safeguards. These safeguards are set out in article 46 of the GDPR. The appropriate safeguards, which may be provided for without requiring any specific authorisation from a supervisory authority, include:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • Binding Corporate Rules;
  • standard contractual clauses adopted by the Commission;
  • standard contractual clauses adopted by the supervisory authority and approved by the Commission;
  • approved codes of conduct; and
  • approved certification mechanisms.

In practice, the safeguards that are likely to be the most relevant are Binding Corporate Rules and standard contractual clauses.

In short, Binding Corporate Rules are internal rules designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA. Binding Corporate Rules can be used by both controllers and processors, provided that the data exporter is established in an EU member state. Binding Corporate Rules must be approved by the relevant data protection authority (in the UK this is the ICO) and in order to gain this approval, an applicant must demonstrate that it has in place adequate safeguards for protecting data throughout the organisation. Once implemented and operational, Binding Corporate Rules are much easier to maintain than a matrix of intra-group contracts and offer greater flexibility to organisations.

As Binding Corporate Rules do not cover transfers outside a corporate group, many companies opt for standard contractual clauses, also known as EU model clauses. At the moment there are three sets of standard contractual clauses; two sets for transfers from data controllers established in the EEA to data controllers established outside the EEA and one set for the transfer from data controllers established in the EEA to processors established outside the EEA. An important thing to remember with standard contractual clauses is that you must not amend them. Additional clauses may be added if necessary however these should be purely commercial in nature.

Exceptions

In the absence of an adequacy decision, or of appropriate safeguards, restricted personal data transfers may still take place if they fall within one of the exceptions set out in Article 49 of the GDPR. Some of the exceptions include:

  • Where the individual has given his or her explicit consent to the restricted transfer.
  • Where the transfer is necessary for the performance of a contract with the individual.
  • Where the transfer is necessary for important reasons of public interest.
  • Where the transfer is necessary for the establishment, exercise or defence of legal claims.

Although useful, these exceptions should be used narrowly and only in exceptional cases. It should also be noted that the consent and contract exceptions cannot be relied upon by public authorities in the exercise of their public powers.

Final thoughts

While the rules on international personal data transfers may at first sight seem complicated, the GDPR offers a variety of solutions for all types of organisations. In a world more connected than ever, these solutions are a crucial addition to the new data protection laws.

If you have any questions around international personal data transfers or you would like some general advice on data protection compliance please contact Neil Williamson.


EM Law Contract Lawyers

Business Contract Terms (Assignment of Receivables) Regulations 2018

Despite some controversy, the new legislation prevents the prohibition or restriction of assignment of receivables under certain contracts. Our team at EM Law can help you understand how the new Regulations may impact on your business.

What are the Business Contract Terms (Assignment of Receivables) Regulations 2018?

Under English law, parties are generally free to provide for the terms and conditions that will govern their relationship. This concept is known as freedom of contract. Commercial contracts, for example, routinely contain provisions that prohibit or restrict the ability to assign or transfer rights created under a contract. Parties limit assignments by the other party for various legitimate reasons. Such reasons include preserving business relationships, preventing receivables coming into the hands of an aggressively hostile party or competitor, ensuring that an incoming party is bound by obligations, or preserving confidentiality.

Under the new Business Contract Terms Regulations, any terms that prohibit or restrict the assignment of receivables shall have no effect. A receivable, effectively, is a right to be paid. Regulation 2(1) states that “a term in a contract has no effect to the extent that it prohibits or imposes a condition, or other restriction, on the assignment of a receivable arising under that contract or any other contract between the same parties.” In theory, this means that parties to contracts will be able to freely assign rights to the receivables of a contract to a third party without consulting the other contracting party or parties.

What types of contract do the Regulations apply to?

Broadly speaking, the Business Contract Terms Regulations will apply to business contracts entered into on or after 31 December 2018. However, there are several types of contract to which the Regulations will not apply.

Regulation 3 states that the Regulations will not apply if at the time of the assignment the supplier is a large enterprise or special purpose vehicle. A supplier is a large enterprise if it satisfies one of the conditions in Regulation 3(3), such as being a company which qualifies as medium-sized within the meaning given by sections 465 to 467 of the Companies Act 2006. A supplier is a special purpose vehicle if it carries out a primary purpose in relation to the holding of assets or the financing of commercial transactions and in either case involved incurring a liability of £10milion or more.

Regulation 4 sets out various other situations in which the Regulations will not apply. In these situations the government has recognised that some contracts rely on non-assignment for sound commercial reasons and that freedom of contract in these instances should be preserved. Such situations include where the contract concerns any interest in land, where the contract is for prescribed financial services and where the contract is entered into for the purpose of, or in connection with, the acquisition, disposal or transfer of an ownership interest in a firm. For the latter exclusion to apply, the corporate acquisition contract must include a statement to that effect.

Why have these changes been made?

According to the Department for Business, Energy and industrial Strategy, the main objective of the Business Contract Terms Regulations is to facilitate access to finance for businesses.

Businesses depend upon having adequate cash flow to meet their liabilities and often need access to external finance in order to invest and grow. For growing businesses, invoice finance is an important way of securing the working capital that they need. Invoice finance is particularly valuable in those sectors where businesses have to wait a long time between issuing an invoice and receiving payment because it allows businesses to borrow money against the amounts due from customers.

Where assignment has been prohibited or restricted by a term in a contract, finance providers have to use other means to offer finance, such as requesting the debtor to allow assignment or using a work around such as a separate trust account or power of attorney. This increases the cost of providing invoice finance and may lead to a refusal of invoice financing. Under the Regulations, such terms will have no effect. According to the government, this will enable more businesses to access invoice finance and in turn diversify finance markets and encourage competition.

Do I need to amend my current contracts?

Although uncertain at the moment, it is unlikely that major changes will need to be made to current standard documents. In relation to corporate share purchase and asset purchase agreements, and transitional service agreements, it should not be necessary to make any amendments to benefit from the exception for corporate acquisition contracts.

In relation to supply contracts, the government has said that businesses do not need to incur costs redrafting their standard contractual terms, as the Regulations do not make bans on assigning invoices illegal, they simply make them unenforceable. Where there is term prohibiting or restricting assignment, the Regulations will simply override the contractual provision.

Despite this, where practicable, it would be sensible to reflect the underlying law in new contracts. Over time, it is likely that contracts will expressly refer to the Business Contract Terms Regulations in order to do this.

If you have any questions around the new Business Contract Terms Regulations or you would like advice on how they may impact your business please contact Neil Williamson.


EM Law Data Protection

Data Subject Access Requests - What You Need To Know

Data subject access requests are a key element of GDPR. Although an individual’s right to access their data has been a major part of data protection legislation since 1984, the development of technology has led to a massive expansion in the nature and quantity of data being processed. This blog takes a look at data subject access requests, how they work, and the impact that the GDPR has had upon them. We specialise in data protection so if you have any questions about this blog please get in touch. Our lead lawyer for data protection advice is Neil Williamson.

What are data subject access requests?

Put simply, a data subject access request is a request that allows individuals to find out what personal data an organisation holds about them, why they hold it and who the information is disclosed to. For information to be personal data, it must relate to an identified or identifiable natural person. Such information, either on its own or in combination with other data, may include personal contact details about that individual, information about their appearance, or information about sick leave.

How do I make a data subject access request? 

For data subject access requests to be valid, they must come from an individual or from someone acting on their behalf. Often, this will be a solicitor acting on behalf of a client but can also be a family member or friend.

Individuals can make data subject access requests verbally or in writing. The ICO even suggests that individuals can make data subject access requests through social media sites such as the organisation’s Facebook or Twitter. A request does not have to include the phrase ‘subject access request’ or refer to Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

How do I respond to data subject access requests?

To avoid inadvertently disclosing personal information to the wrong person, an organisation should first seek to establish that the individual making the request is who they say they are. If there are doubts, organisations can request proof of ID or request proof of a relationship with the individual. Some organisations may find it easier to provide individuals with a specially designed form. These forms can help organisations track data subject access requests and streamline internal processes and procedures. However, individuals are not obliged to use these forms and could still request their information in other ways.

In addition to a copy of an individual’s personal data, organisations must provide other information. This information includes the retention period for storing the data, the individual’s right to request erasure of their data, and the safeguards in place when their data is transferred to an international organisation. The full list of information is set out in Article 15 of the GDPR. An organisation may find that they have already disclosed most of this information in their privacy notice. In this case, an organisation can point an individual towards this.

Organisations should be mindful where an individual’s personal data includes information about other individuals. The Data Protection Act 2018 states that an organisation does not have to comply with a request if it means disclosing information about other individuals unless the other individual has consented to the disclosure or it is reasonable to comply with the request without that individual’s consent. In determining whether it is reasonable to comply, there are a number of factors that should be taken into consideration. These include the type of information being disclosed, any duty of confidentiality owed, and any express refusal of consent. If the other individual does not give their consent and it is not reasonable in the circumstances to disclose the data without their consent, an organisation should consider removing or redacting the data about that other individual.

What will happen if I don’t respond to a data subject access request?

The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, notices, ordering compliance and imposing fines. These fines can be very large; up to 20 million euros or, if higher, 4% of an organisations worldwide annual turnover.

Are there any exemptions?

The Data Protection Act 2018 sets out a number of exemptions which allow information to be withheld from individuals where it would usually need to be disclosed. These exemptions include:

  • Legal advice and proceedings – organisations do not have to disclose data which is covered by legal professional privilege;
  • Confidential references – organisations do not have to provide access to confidential references that they have given in relation to an employee’s employment; and
  • Management information – organisations do not have to disclose data which relates to management planning and forecasting.

Can I use a data subject access requests for the purposes of litigation?

As data subject access requests are limited to personal data, they are less wide-ranging than general disclosure obligations. Nonetheless, actual and potential litigants often use data subject access requests as a tactic in litigation or as a means of collecting information from their opponent. In Dawson-Damer v Taylor Wessing LLP (2017), the Court of Appeal decided that the motivation behind a data subject access request was irrelevant. Data subject access requests are valid even if the collateral purpose is to obtain information for the purposes of litigation.

The GDPR does not refer to the intention behind a subject access request and therefore the starting point is that any individual is entitled to exercise their right of subject access. The ICO makes clear that companies cannot refuse to supply information simply because the information requested in connection with actual or potential legal proceedings.

How has the GDPR changed data subject access requests?

Time Limit

The time limit for acting on data subject access requests has been reduced from 40 days to one calendar month. An organisation must now act without undue delay and in any event within one month of receipt. The time limit can be extended by a further two months if the request is complex or there has been a number of requests from the individual. In these circumstances, an organisation must let the individual know within one month of receiving the request and explain why the extension is necessary. Unfortunately, there is no specific guidance on what would constitute ‘complex’ at this stage.

Fee

In most cases, organisations can no longer charge a fee for carrying out a data subject access request. However, where the request is manifestly unfounded or excessive, a “reasonable fee” may be charged for the administrative costs of complying with the request.

Refusal to deal with the request

Organisations can refuse to deal with data subject access requests if they are manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If an organisation refuses to comply with a request, they should inform the individual about the reasons for their decision, the right to make a complaint and the ability to seek to enforce this right through a judicial remedy. An organisation may also refuse to deal with a request if the person to whom the subject access request was addressed is not the data controller or the request infringes the EU doctrine of abuse of rights. In all cases, an organisation must inform the individual within one month.

Electronic access

Individuals can now make data subject access requests electronically. Where an individual makes a request electronically, an organisation should provide the information electronically, unless the individual requests otherwise.

If you have any questions around data subject access requests please contact Neil Williamson.