Processing data in the EU post Brexit.
As the end of the Brexit transition period looms, are you aware of your obligations concerning the processing of personal data?
The EU GDPR legislation will become the Data Protection, Privacy and Electronic Communications Regulation or the UK-GDPR which, for the time being, is word-for-word exactly the same. When processing the data of UK citizens nothing much will change for now. It would be wise, of course, to update your policies to reflect your use of this new legislation albeit only by name. But, if you are processing the data of supporters, beneficiaries or members here in the UK who reside in the EU, things will be very different.
Article 27 of the GDPR says that if you do not have an establishment (office) in an EU state but are processing the personal data of citizens that reside there, you must appoint a Representative in that country. This is intended to protect the fundamental rights and freedoms of those individuals by offering them the means and convenience to object to the processing and freely exercise their rights.
On the 1st of January 2021, the UK is almost certain to lose its EU adequacy decision and is destined to become a “third country1”. All EU states (plus a few other countries) have this important agreement that allows the free flow of data cross-border. Essentially, it means that the country in question has the highest standards of data protection law necessary to protect an individual’s personal information. Transfers to third countries (including storage) require important safeguards if they are to comply with the law.
We estimate this will affect many charities who will be exposed to potential penalties imposed by EU supervisory authorities (the equivalent of our ICO). Of course, it will be easy to spot, particularly if you haven’t posted the in-country addresses of your representatives on your website. In a similar manner to the ICO’s recent search of Companies House, where it looked for organisations that were not registered as data controllers; the EU authorities may decide to search UK websites for potential offenders.
In readiness for this, Hope and May are pleased to announce their new Article 27 Rep service. We can now provide you with representation in all of the 27 EU states along with an online portal to deal with data subjects’ rights. If you think this may apply to you, please get in touch.
1 A country that is not a member of the European Union as well as a country or territory whose citizens do not enjoy the European Union right to free movement, as defined in Art. 2(5) of the Regulation (EU) 2016/399 (Schengen Borders Code).