The rules about international data transfers have changed significantly in recent times. Consequently, these changes have impacted the way that UK-based employers should transfer HR/employment data (“HR Data”) outside of the UK, whether the recipient of this data is a group company or a third party.
Despite the complexity that arises from the changes, transferring HR Data outside of the UK does not have to be complicated, provided that an employer asks themselves a series of questions, as illustrated in the flow-chart below:
It is important for employers to follow the rules relating to making a “restricted transfer” as non-compliance will risk enforcement action from the relevant data protection regulator, including significant fines.
In this article we explore the answers to the questions in the flow-chart, to help employers navigate this tricky area.
1. Is a “restricted transfer” of personal data being made?
An employer will be making a restricted transfer of personal data if three conditions are satisfied.
- The EU GDPR or UK GDPR applies to the processing of the personal data being transferred.
- The employer is sending the personal data, or making it accessible, to a receiver located in a country outside of the UK.
- The receiver is legally distinct from the employer, meaning it is a separate individual or organisation. This includes transfers to another company within the same corporate group. Importantly, a distinction should be made between an employer sending personal data to an employee of the same legal entity (even if that employee is located outside of the UK) which will not amount to a restricted transfer, and a similar transfer to a consultant which would be a restricted transfer.
As a UK employer, restricted transfers can arise (sometimes inadvertently) in practice in a myriad of contexts irrespective of the size or frequency of the transfer. Some examples are where a business:
- outsources back-office functions, such as payroll, IT or HR, to a service provider based in a different country; or
- uses a group company based outside of the UK to perform certain functions; or
- uses a cloud provider for their IT systems or data storage, whose servers are located outside of the UK.
2. Is the receiver located in a country with an adequacy decision?
Where a restricted transfer of HR Data is being made, an employer should first consider if the UK adequacy regulations apply. This is essentially a list of countries and territories that the UK Government or European Commission has assessed as having adequate data protection laws. Any restricted transfer to such a location is automatically permissible.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private sector organisations), Jersey, New Zealand, Switzerland, the UK and Uruguay as providing an adequate level of protection for personal data.
The UK has recognised the same countries as listed above, in addition to all EEA countries and Gibraltar, as providing an adequate level of protection for personal data.
A notable absentee on the list is the USA which currently does not benefit from a UK adequacy decision. This means that any transfer of personal data to the USA (or indeed any country/territory not covered by an adequacy decision as above) is not automatically permissible and is only allowed if an appropriate safeguard is in place.
3. Is an appropriate safeguard under the UK GDPR in place?
The UK GDPR contains a number of appropriate safeguards, the most relevant of which for UK employers are likely to be Binding Corporate Rules and Standard Contractual Clauses which at a very high level are as follows:
Binding Corporate Rules (“BCRs”)
The BCRs operate to allow a restricted transfer between related group entities, i.e. transferring data to a subsidiary or holding company. Given the relatively narrow scope of BCRs (and the cost and time involved in setting them up), BCRs only tend to be used by a handful of large employers.
Standard Contractual Clauses (“SCCs”)
UK employers most commonly rely on SCCs, for making a restricted transfer.
SCCs ensure that data is processed to the level of protection required under the UK GDPR. The SCCs contain contractual obligations (on the sender and receiver of the data) and give certain rights to individuals whose personal data is transferred which can be directly enforced against both the sender and recipient of the data. The framework surrounding SCCs has changed significantly in recent months – further details of these changes are set out below, under “Recent Developments”.
Transfer impact assessment
Before an employer can rely on an appropriate safeguard, it (together with any relevant parties) must first undertake a transfer impact assessment. As the name suggests, this assesses the impact that transferring the personal data will have on the level of protection the data currently benefits from in the UK.
This requires employers to consider two key factors: (i) the protections contained in the relevant safeguard (see below); and (ii) the legal framework of the destination country (including laws governing public authority access to the data).
Undertaking this assessment can be quite complex and we await further guidance from the UK’s Information Commissioner’s Office (“ICO”) to assist with this. Nevertheless, the conclusions of this assessment should be recorded and retained within any contract that is entered into with the recipient of the data, as the UK GDPR requires data controllers (employers) to be accountable for their compliance.
SCCs and IDTA
There have been significant recent developments regarding SCCs. In the past year, the old SCCs have been deemed unable to cater for modern data transfers, for example by not including the mandatory processing wording required under Article 28 of the UK GDPR.
In response, the European Commission has released a new set of standard contractual clauses (“EU SCCs”) to protect transfers of personal data outside of the EU (under the EU GDPR), which replace the old SCCs. Since 27 September 2021, senders of personal data have been unable to include the old SCCs in any new contract, and from 27 December 2022, any contracts that contain the old SCCs will need to be updated to include the new EU SCCs.
Further, the UK Government has also released its own new set of clauses via the International Data Transfer Agreement (“IDTA”).
Under the new EU SCCs and IDTA there are now four ‘modules’ of SCCs: (i) Controller-Controller; (ii) Controller-Processor; (iii) Processor-Processor; and (iv) Processor-Controller. The relevant module for any particular contract will depend upon the roles of the parties in handling the data. A UK employer will almost always be a data controller if it exercises overall control over the ‘why’ and the ‘how’ of the processing.
As an alternative to the IDTA, the UK Government has also released an international data transfer addendum (“UK Addendum”) which can be used in conjunction with the EU SCCs. This approach will be most practical for companies who are caught by both the EU GDPR and the UK GDPR. Both the IDTA and the UK Addendum came into force on 21 March 2022. The old SCCs cannot be used in any new contracts from 21 September 2022 and any organisations which contracts using the old SCCs will need to substitute the old SCCs for the IDTA or the EU SCCs plus the UK Addendum from 21 March 2024.
The above changes affect any agreement that currently includes the old SCCs, and any new agreement an employer is working on which involves a restricted transfer of personal data outside of the UK.
UK employers now have two approaches available to them to ensure compliance when making restricted transfers: (i) comply with the requirements of the IDTA; or (ii) incorporate the EU SCCs into the agreement, in conjunction with the UK Addendum.
It is important to note that neither approach removes the requirement to complete a transfer impact assessment before the transfer takes place. This assessment ensures that the laws and practices of the recipient country do not prevent the recipient from fulfilling its obligations under the SCCs. If they do, the transfer must not be made, without additional protections being put in place.
For a more detailed overview of how Taylor Vinters can help you update existing contracts or overcome the challenges of SCCs, you can download our Commercial Data Team’s SCCs Handbook here.
4. Does a derogation under the UK GDPR apply to the restricted transfer?
The exceptions (or derogations) under the UK GDPR for when a restricted transfer is permissible are precisely that: exceptions. They therefore should not be viewed as a “routine” alternative to implementing appropriate safeguards.
These exceptions include the individual giving their explicit consent to the transfer, reasons of public interest, or the transfer being necessary for the performance of a contract with the individual.