The President of UODO explains how to transfer personal data from Poland to the UK in case of Brexit

In connection with high likelihood of the withdrawal of the United Kingdom from the European Union without concluding international agreement regulating this issue, the President of the Personal Data Protection Office explained at press briefing on 17 January 2019 what would be the consequences thereof for the Polish data controllers and processors. She also gave advice on how to prepare properly for this.  

Current rules on data transfers will apply only until 29 March 2019

Until 29 March 2019, that is until the United Kingdom remains the Member State of the European Union, there will be a possibility of free data transfer to the entities operating in the UK territory, without any additional limitations, just as it has been the case so far. Data transfers within the UE make use of the principle of free data flow, according to which the transfer of personal data from Poland to other States of the European Economic Area (EU as well as Iceland, Liechtenstein and Norway) is treated in the same way as if it took place in the territory of Poland. It is required to comply with the basic data processing principles and the resulting obligations.

As of 30 March 2019 the United Kingdom will be treated as a third country

In the light of the General Data Protection Regulation (2016/679; hereinafter referred to as the GDPR), as of 30 March the United Kingdom will be treated as a third country. This means that all data transfers to the UK must meet additional requirements on data transfers to third countries or international organisations, which are specified in Chapter V of the GDPR.  

How to ensure legitimacy of data transfers after 29 March 2019?

Both Polish entrepreneurs and public entities must prepare for this in advance, so as to ensure the legitimacy of data transfers to the United Kingdom in the new legal state to be applicable as of 30 March 2019.  

What steps shall be taken before 30 March 2019?

Each data controller or processer currently transferring data to the United Kingdom shall:

  • Identify which data, for what purposes and on what legal basis are currently transferred to the United Kingdom;
  • Decide on whether these transfers will continue after 29 March 2019;
  • Choose and implement a relevant mechanism or legal basis enabling data transfer;
  • If needed, modify:
    • the internal data processing documentation, including a record of processing activities,
    • the information clauses,
    • the existing Binding Corporate Rules;
  • Follow the information on the process of UK’s withdrawal from the EU, as it is not sure yet, under what rules it will take place, which may have impact on the obligations related to data transfer.

Depending on the course of events in the coming weeks the President of the Personal Data Protection Office will provide up-to-date information and guidelines.

Data transfer to a third a country

As a rule, data transfer to a third country can take place, where the Commission has decided that the third country ensures an adequate level of personal data protection. In case where adequacy decision has been issued in relation to the third country, data transfer is allowed without the need to undertake any additional activities. The EC issued such decisions e.g. in relation to Canada, New Zealand or Israel.  

Unfortunately, it is not possible for the EC to issue such a decision on the United Kingdom by the end of March 2019. Therefore, by the time the EC issues a relevant decision alternative solutions enabling data transfer shall be checked.

Standard contractual clauses

Entrepreneurs shall first think about using standard contractual clauses on data protection approved by the EC.

Currently, three decisions of the European Commission apply:

1)      Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC. The text of the Decision is available at:

https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32001D0497&from=en

2)      Decision 2004/915/EC amending Decision 2001/497/EC  as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries. The text of the Decision is available at:

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:en:PDF

3)      Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, which enables data transfer to processors in third countries. The text of the Decision is available at:

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:en:PDF

Binding Corporate Rules

International groups of companies can also use Binding Corporate Rules, which have been previously approved by the Inspector General for Personal Data Protection or one of data protection authorities from UE Member States within the consistency procedure provided for by the GDPR. It needs to be remembered that the so far Binding Corporate Rules must be modified by including importers of data from the United Kingdom in the group of third countries. 

Safeguards in the public sector

Data transfer by public authorities and entities can take place without the need to obtain the consent of the President of the Personal Data Protection Office on the basis of legally binding and enforceable instrument between public authorities and entities. Data transfer is also possible with the consent of the President of the Personal Data Protection Office on the basis of administrative arrangements between public authorities or entities providing for enforceable and effective rights of data subjects.  

Derogations for specific situations

The GDPR allows for data transfer to a third country which does not ensure adequate level of protection or in case where appropriate safeguards such as standard contractual clauses or Binding Corporate Rules have not been ensured. It is possible in specific situations referred to in Art. 49 of the GDPR. They include the following specific situations:

1)      The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. It needs to be stressed that the consent must:

  1. be explicit,
  2. concern specifically a transfer or a set of data transfers,
  3.  be informed, in particular the person expressing the consent must be aware of possible risk which can be related to the transfer.  

2)      The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request.

3)      The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.

4)      The transfer is necessary for important reasons of public interest.

5)      The transfer is necessary for the establishment, exercise or defence of legal claims.

6)      The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

7)      The transfer is made from a public register.

8)      The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller and additional requirements have been fulfilled.

The European Data Protection Board discussed in detail the above mentioned grounds for data transfer in its guidelines available at:

https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22018-derogations-article-49-under-regulation_en

Situation of entrepreneurs processing data of Polish citizens when providing their services inter alia in the United Kingdom

The GDPR will still be directly applicable to such entrepreneurs, as the GDPR applies also to the processing of data concerning persons who are in the EU by the controller or processor not established in the Union, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.

Such entrepreneurs must designate in writing a representative in the EU in the Member State where are the data subjects whose data are processed in connection with the offering of goods or services to them, or whose behaviour is monitored.

Entrepreneurs must designate a representative if the processing carried out by them is occasional, does not include, on a large scale, processing of special categories of data, or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

The European Data Protection Board adopted the first version of the Guidelines 3/2018 on the territorial scope of the GDPR, which are available in English at:

https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en

2019-02-04 Metadane artykułu