Q&As

In a no-deal Brexit scenario where personal data will be transferred by an EU controller to a UK processor and that processor will then transfer the personal data to a subprocessor outside the UK and EU, Model Clauses in place between the EU controller and the UK processor will require the processor to impose the same obligations as in those Model Clauses on the subprocessor (or that the subprocessor co-signs those Model Clauses). Does there also need to be Model Clauses in place between the EU controller and the (non-UK and non-EU) subprocessor?

read titleRead full title
Produced in partnership with JP Buckley of DWF LLP
Published on LexisPSL on 31/10/2019

The following Public Law Q&A produced in partnership with JP Buckley of DWF LLP provides comprehensive and up to date legal information covering:

  • In a no-deal Brexit scenario where personal data will be transferred by an EU controller to a UK processor and that processor will then transfer the personal data to a subprocessor outside the UK and EU, Model Clauses in place between the EU controller and the UK processor will require the processor to impose the same obligations as in those Model Clauses on the subprocessor (or that the subprocessor co-signs those Model Clauses). Does there also need to be Model Clauses in place between the EU controller and the (non-UK and non-EU) subprocessor?
  • International transfer restrictions
  • Clause 11(1) of the Model Clauses
  • Summary of issues

This Q&A considers the hypothetical scenario in which the UK leaves the EU and EEA, without any deal regarding a transition period, from the perspective of generally applicable EU law and UK laws that are currently anticipated to apply in that situation. For further background on Brexit and data protection, see Practice Note: Brexit—implications for data protection.

For the purposes of this Q&A, we assume that whenever data protection laws impose restrictions on international transfers of personal data, the only available mechanism to legitimise the transfer is Model Clauses (eg that no adequacy decisions, appropriate safeguard or derogations are available in the circumstances).

International transfer restrictions

As explained in detail in Practice Note: International transfers of personal data under the GDPR, the regime under Regulation (EU) 2016/679 (GDPR) (which, while the UK is a member of the EU (or broader EEA), also currently applies to the UK) imposes restrictions on the transfer of personal data. Article 44 of the GDPR applies to controllers and processors and generally prevents transfers of personal data to ‘third countries’ outside the EEA or to certain ‘international organisations’ unless one of the following is in place:

  1. adequacy decision (eg including use of the EU-US Privacy Shield where available)

  2. appropriate safeguard

  3. derogation (or exemption)

Controllers are generally responsible for their processor’s compliance with the GDPR. It follows that responsibility for complying with international transfer

Related documents:

Popular documents