Data Processor Agreements Post Brexit

By Myles Dacres

The Outsourced DPO picked up an inbound support ticket this morning querying whether a data processor agreement was still relevant or required amending in light of Brexit and Schrems 2.

The processor agreement in question was that issued by the Danish Data Protection Authority, Datatilsysnet which has taken some flak but inherently is a good agreement. As a side note, if you do use it you should be check that you are using version 1.1 that was issued in January this year and carries a couple of corrections.

The Danish SA agreement https://edpb.europa.eu/sites/edpb/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf prohibits the processor from transferring personal data to a third country without documented instructions from the controller, and sets out that any such transfers must be carried out in accordance with the rules set out in Chapter 5 of the GDPR which includes mechanisms such as standard contractual clauses. For the avoidance of doubt, clause 8.3 summarises that processors are prohibited from using other processors in third countries as well as processing personal data themselves in a third country.

The processor agreement in itself is fine but does not cover off international transfers: you still need to have supplementary arrangements if personal data are being transferred to or processed in third countries or international organisations. This may seem obvious but as the Danish agreement is headed, “Standard Contractual Clauses” it has led to some confusion. This brings us to the issues of Brexit and Schrems.

Looking at Brexit first, there still seems a degree of uncertainty whether the UK will be classified as a “third country” for the purposes of the GDPR from 1st January by the EU. Current advice and guidance is that the UK will not classify EU member states as “third countries” (https://ico.org.uk/media/for-organisations/documents/brexit/2617110/information-rights-and-brexit-faqs-v2_3.pdf) but as the UK Government has said it will keep this under review, it is a possibility.

If adequacy is not granted by the EU and/or if the UK does not recognise the EU member states as having adequacy, transfers and processing of personal data across affected borders would need to be made on the basis of a mechanism such as standard contractual clauses (SCCs). Therefore, the only circumstances you can rely on from January as it stands today are those where all transfers and processing of personal data are carried out exclusively in the UK by you and the entirety of your processor network.

If you need to implement SCCs then you also need to consider the recommendations made by the European Data Protection Board last week. One would assume that the EDPB would not expect processors within the EU to be subject to its recommendation regarding supplementary steps but transfers and onward transfers to third countries would be. Another consideration is the revised SCCs published last week by the European Commission which are open for consultation until mid-December.

In summary the Danish processor agreement is sound, but transfers outside of the UK need to have supplementary documentation where they involve transfers to a “third country”. As it stands, the UK seems unlikely to classify EU member states as “third countries” – but the Government are keeping this under review. If you do need to implement an international transfer mechanism and chose to use SCCs, you need to take into account the EDPB recommendations on supplementary tools. You may also need to replace all of your SCCs in the New Year with the new set.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.


    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    IMPORTANT INFORMATION

    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021