‘Data Adequacy Between the EU & UK’ Update 12/07/2021
The EU has now formally recognised the UK’s data protection standards. This follows the UK’s recognition of EU and EEA member states as ‘adequate’ under its new, independent data protection policy.
This means that customers within the EU who use our services, or UK customers whose systems are hosted by us in the EU, do not need to put any additional legal framework in place, aside from the usual Data Processing Agreement.
GDPR, Brexit and Customers of Axiell ALM UK 16/12/2020
We are getting a number of enquiries from customers regarding Axiell UK’s data protection position post Brexit. The situation is somewhat fluid and unclear at the moment, but we provide our perspective on it below:
Dependent on the outcome of currently ongoing Brexit negotiations, it is possible that after 31st December 2020, the United Kingdom will not be recognised as having ‘adequacy’ under the EU’s GDPR regulations. ‘Adequacy’ in this sense is as a technical term meaning that one data protection regime regards another as providing adequate safeguards to protect personal data.
We don’t anticipate this to raise any issue for data flows with our UK based customers, as Axiell ALM UK will continue to comply with the new UK GDPR legislation, and Axiell’s EU based operations fall within the adequacy granted to the EU GDPR by the UK government. However, the potential lack of UK adequacy from the EU’s perspective does have implications for those of our customers who are based outside the UK, but are serviced by Axiell’s UK based entity.
In order to comply with EU GDPR in the eventuality of no UK adequacy decision being reached, we recommend that our EU based customers employ an ‘appropriate safeguard’ to enable personal data to continue to be exported to the UK. Such a safeguard would be to enter into a Controller to Processor Data Transfer Agreement with Axiell ALM UK.
For the convenience of our customers, we have drafted such an agreement based on the EU GDPR approved ‘Standard Contractual Clauses’ (SCC) which is aimed at satisfying this requirement. The document will need to be signed by an authorised person on behalf of the Data Controller (Customer) and returned to us. The agreement can be thought of as an insurance, which will only take effect in the event of a no-adequacy situation arising.
If you are a customer based in the EU, we will be emailing you a copy of this agreement for your consideration. You may of course choose to draft your own version of a similar agreement if you prefer based on advice from your own national data regulator, but it is important that the SCC clauses be unchanged in order to achieve compliance with EU GDPR.
For further information, please refer to resources on the ICO website, or those of your national equivalent body if outside the UK.
‘Brexit Deal Agreed’ Update 30/12/2020
Following the welcome announcement on 24th December that agreement had been reached on trade between the UK and EU after Brexit, the UK’s Information Commissioner’s Office (ICO) has provided an update what this means for data transfers across international borders.
The threat of a ‘cliff edge’ cut-off date of 31st December has been avoided. A further six month period is being allowed during which data can continue to flow freely between the EU and the UK to permit time for the achievement of an adequacy decision.
The ICO is recommending that appropriate safeguards as we outlined above should continue to be put in place, but at least now there is no desperate urgency to do so.
