Il Comitato Europeo per la Protezione dei Dati (EDPB) ha adottato una nota informativa destinata alle aziende e alle autorità pubbliche sui trasferimenti di dati a norma del regolamento generale sulla protezione dei dati in caso di Brexit senza accordo con l’Ue.
Flussi di dati dal SEE (Spazio Economico Europeo) verso il Regno Unito
In assenza di un accordo tra l’UE e il Regno Unito (“no-deal Brexit”), il Regno Unito diventerà un paese terzo dalle ore 00.00 CET del 30 marzo 2019. Di conseguenza, il trasferimento di dati personali dal SEE verso il Regno Unito dovrà basarsi su uno dei seguenti strumenti: clausole-tipo di protezione dei dati o clausole di protezione dei dati ad hoc, norme vincolanti d’impresa, codici di condotta e meccanismi di certificazione e strumenti specifici di trasferimento a disposizione delle autorità pubbliche. In assenza di clausole-tipo di protezione dei dati o di altre garanzie adeguate, si possono utilizzare alcune deroghe a determinate condizioni**.
Flussi di dati dal Regno Unito al SEE
Per quanto riguarda i trasferimenti di dati dal Regno Unito al SEE, secondo il governo britannico l’attuale situazione, che prevede la libera circolazione dei dati personali dal Regno Unito al SEE, continuerà anche in caso di Brexit senza accordo con l’UE.
DI SEGUITO IL TESTO INTEGRALE:
Information note on data transfers under the GDPR in the event of a no-deal Brexit
Adopted on 12 February 2019
In the absence of an agreement between the EEA and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. This means that the transfer of personal data to the UK has to be based on one of the following instruments1 as of 30 March 2019:
– Standard or ad hoc Data Protection Clauses
– Binding Corporate Rules
– Codes of Conduct and Certification Mechanisms – Derogations2
This note provides information to commercial and public organisations on these transfer instruments under the GDPR for the transfer of personal data to the UK in the event of a no- deal Brexit
The EDPB builds upon the guidance provided on this matter by supervisory authorities and by the European Commission (EC). EEA organisations may turn, if necessary, to the national supervisory authorities competent to oversee the related processing activities.
I. 5 steps organisations should take to prepare for a no-deal Brexit
When transferring data to the UK, you should:
• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation (see below)
- Implement the chosen data transfer instrument to be ready for 30 March 2019
- Indicate in your internal documentation that transfers will be made to the UK
- Update your privacy notice accordingly to inform individuals
II. Data transfers from the EEA to the UK
1. Available transfer instruments
In the absence of an adequacy decision3 at the time of the Brexit, the following are the available data transfer instruments.
a. Standard and ad hoc Data Protection Clauses
You and your UK counterpart may agree on the use of Standard Data Protection Clauses approved by the European Commission. These contracts offer the additional adequate safeguards with respect to data protection that are needed in case of a transfer of personal data to any third country.
Three sets of Standard Data Protection Clauses are currently available:
- EEA controller to third country (e.g. UK) controller: 2 sets are available:o 2001/497/ECo 2004/915/EC
- EEA controller to third country (e.g. UK) processoro 2010/87/EUIt is important to note that the Standard Data Protection Clauses may not be modified and must be signed as provided. However, these contracts may be included in a wider contract and additional clauses might be added provided that they do not contradict, directly or indirectly, the Standard Data Protection Clauses adopted by the European Commission. Considering the timeframe before the 30th of March, the EDPB acknowledges that the Standard Data Protection Clauses is a ready-to-use instrument.
Any further modifications to the Standard Data Protection Clauses will imply that this will be considered as ad-hoc contractual clauses. This can provide appropriate safeguards taking into account your particular situation.
Prior to any transfer, these tailored contractual clauses must be authorised by the competent national supervisory authority, following an opinion of the EDPB.
b. Binding Corporate Rules
Binding Corporate Rules are personal data protection policies adhered to by group of undertakings (i.e. multinationals) in order to provide appropriate safeguards for transfers of personal data within the group, including outside of the EEA.
You may have already in place BCRs or cooperate with processors which make use of BCRs for Processors. Organisations may still rely on these BCRs authorised under the former Directive 95/46/EC which remain valid under the GDPR4. These BCRs need however to be updated to be fully in line with the GDPR provisions.
If you do not have BCRs in place, they must be approved by the competent national supervisory authority, following an opinion of the EDPB.
You can find further explanations on the conditions to apply for Binding Corporate Rules on the EDPB website.
c. Codes of conduct and certification mechanisms
A code of conduct or a certification mechanism can offer appropriate safeguards for transfers of personal data if they contain binding and enforceable commitments by the organisation in the third country for the benefit of the individuals.
These tools are new under the GDPR and the EDPB is working on guidelines in order to give more explanations on the harmonized conditions and procedure for using these tools.
It is important to underline that the derogations allow the data transfers under certain conditions and are exceptions to the rule of having put in place appropriate safeguards (see the above mentioned instruments like BCRs, standard data protection clauses…) or transfer the data on the basis of an adequacy decision. They must therefore be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive5.
These derogations include amongst others according to article 49 GDPR:
- where an individual has explicitly consented to the proposed transfer after having beenprovided with all necessary information about the risks associated with the transfer;
- where the transfer is necessary for the performance or the conclusion of a contract between the individual and the controller or the contract is concluded in the interest ofthe individual;
- if the data transfer is necessary for important reasons of public interest;
- if the data transfer is necessary for the purposes of compelling legitimate interests ofthe organisation.
You can find further explanations on available derogations and how to apply them in the EDPBGuidelines on Article 49 of GDPR.
3. Instruments exclusively available to public authorities or bodies
Public authorities may consider to use the mechanisms which the GDPR considers more appropriate to their situation.
One option is to use a legally binding and enforceable instrument, such as an administrative agreement, a bilateral or multilateral international agreement. The agreement must be binding and enforceable for the signatories.
The second option is to use administrative arrangements, such as Memoranda of Understanding, which although not legally binding must however provide for enforceable and effective data subject rights. The administrative arrangements are subject to an authorisation by the competent national supervisory authority, following an opinion of the EDPB.
In addition, the abovementioned derogations are also available for transfers by public authorities, subject to the application of the relevant conditions.
For public authorities exercising criminal law enforcement functions6, additional transfer tools are available7.
III. Data transfers from the UK to EEA Members
According to the UK Government, the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit8.
To this end, the UK Government’s and the ICO’s website should be regularly consulted.For the European Data Protection Board
The Chair (Andrea Jelinek)