Schrems II – so what does UK business do?

To recap - sending personal data out of the EU/UK is a forbidden activity, unless you can get within a one of the legally permitted routes which are as follows:

• the data is going to an approved jurisdiction (EEA members, Canada, Australia, Argentina and a few others)
• EU Standard Contractual Clauses (Model Contracts)
• Binding Corporate Rules or
• GDPR Article 49 derogations.

Do you know on which basis your personal data is leaving the country to go to the USA? It is not just going to the USA that it causes problems. If the data goes to any country outside the approved jurisdictions, then one of the three other legalising mechanisms needs to be used. Binding Corporate Rules are hugely complex and used by international corporations. Article 49 derogations are incredibly limited so of little real use, which leaves Model Contracts.

The reason this matters is that if personal data is sent to the US (or any other unapproved jurisdiction, which is most of the world) by any business without a legally approved mechanism in place then each individual whose data is involved can claim compensation from that business.

This is why businesses should have done their dataflow mapping – to identify where data actually is stored and held.

In the aftermath of Schrems I, which closed down the previous US mechanism known as Safe Harbour, a lot of the big US companies set up data centres in the EU. Microsoft and Google set up in Ireland and other places in Europe. If your data is there then you can relax, but you need to find out.

However, it may be that your data is held outside the EU, so you need to ask every service provider where the servers holding your data physically are. The same goes for your suppliers with whom you place personal data. They may not know either.

The whole infrastructure which handles data is hugely complex but needs thorough mapping and understanding, so the business can manage its risks not just physically, but in terms of data management, data privacy and avoiding claims.

For more information and support please contact our GDPR Specialist:

Ian Sinclair-FordGDPR Specialistian.sinclairford@glenvillewalker.comT: 0151 305 9650 | M: 07786 394 679