Updated Data Processing Agreements
The GDPR, first in its EU form and now living on, post-Brexit, in the UK as the UK GDPR, has been with us for three years and over that time, has been one of the most talked-about legal topics across a broad range of businesses.
The EU GDPR was retained in UK law by virtue of the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, resulting in the UK GDPR. The UK GDPR forms part of a broader body of legislation, including the Data Protection Act 2018 and, often, the Privacy and Electronic Communications Regulations 2003, commonly referred to in legal documents as “the data protection legislation”. For many small businesses, the UK GDPR is the primary focus. The obligations and rights set out in the EU GDPR remain in the UK GDPR and, for the most part, are unchanged.
Updates to our Data Processing Templates
Data processing lies at the heart of the UK GDPR. In broad terms, whatever you do with personal data, you are “processing” it. It is often the case that one business will contract out a certain amount of personal data processing to another. This may be specifically because another business is geared towards specialised processing of certain types of personal data, or it may be but one element of a broader service contract. Either way, all data processing carried out by a data processor on behalf of a data controller must be covered by a written contract.
Simply-Docs currently offers three different varieties of Data Processing Agreement. A UK-only version was added to the site last year and now our “UK and UK to EEA” and “UK to non-EEA” versions have been updated. Both templates have been re-written from the ground up, ensuring that they are compatible with the UK GDPR and incorporating considerably more detail, making them easier to understand and, most importantly, to follow.
The UK and UK to EEA Data Processing Agreement is designed for use where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor located in the UK or EEA to process that personal data on its behalf. The UK is no longer part of the EU or EEA, but transfers of personal data from the UK to EEA countries are permitted to continue unrestricted.
For those who need to transfer personal data beyond the EEA, we have the UK to non-EEA Data Processing Agreement. Transfers to non-EEA countries must comply with additional rules. Various legal bases are available, each designed to ensure that the personal data and the rights of individual data subjects are protected to standards equivalent to those under the UK’s data protection regime. The agreement includes a number of options to choose from, including the EU Commission’s “Standard Contractual Clauses” which, for the time being at least, remain valid in the UK.
What’s on the Horizon?
Changes both in the UK and in the EU are coming. Both the EU and the UK have new Standard Contractual Clauses in the works. The current SCCs are ripe for modernisation, hailing as they do from 2010, notably pre-GDPR. The EU Commission is currently consulting on a draft of their new SCCs and the ICO will likely be consulting on new SCCs of their own sometime this summer.
Transfers of personal data from the EU to the UK are also very much in the spotlight at present. From the end of the Brexit transition period on 31 December 2020, under the terms of the Trade and Cooperation Agreement, a “bridge” period enables such transfers to continue without restrictions for up to six months, pending an adequacy decision from the European Commission.
On 19 February, the European Commission published its draft adequacy decision, finding the UK’s data protection regime to be adequate. Since then, the draft decision has been considered by the European Data Protection Board and commented upon by the European Parliament. Concerns have been raised in both cases, but the final decision is yet to be made. The European Commission will ultimately need approval from a committee of representatives from each EU Member State. If that committee approves the draft decision, the Commission can formally adopt it as an adequacy decision, meaning that data flows can continue. With only one month remaining in the bridge period, we will be watching developments closely!
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.