Transfer and Processing of Data outside EU

Log in to reply
V

VolvicSF

Free Member
Oct 28, 2019
3
0
  • #1
    Wondering if anyone can offer some advise.

    We are company with 4 offices located in the EU and 2 offices located outside the EU. The staff working in our Non-EU offices work full time for our company but as contractors not as employees. They do not contract with any other companies and have been working for us for 10+ years.

    Our customers are typically located outside the EU but we are starting to gain new customers based in in the EU. We provide IT service contracts to our customers and offer a support desk function. This function may be resourced by the contractors in the Non-EU Countries. The Non-EU Countries are not on the Adequacy List.

    Our service desk is hosted in the EU using a cloud based service.

    How can we legally use Non-EU resources to process EU data? If the contractor downloads data from our service desk application to troubleshoot support issues, is this considered data transfer under GDPR? If so, do we need Standard Contract Clauses in place with the customer and contractor to permit this to happen?

    Grateful for any advise you can provide.
     
    M

    Mike Kilby PC.dp

    Free Member
    Jul 11, 2018
    227
    40
    Northampton, UK
  • #2
    Firstly before I can answer this, I need to know whether the offices outside the EU are part of the same legal entity in the UK, or if they are separate companies (not just trading under the same name or "known as" the same name).

    In essence, any access to data outside the EU is an international transfer, even if it is simply displayed on screen. There does not have to be a physical transfer for it to be classed as an International Transfer.

    You would not put Standard Contractual Clauses in customer contracts, these will only apply to suppliers who process data on behalf of your business, or who you share it with for some legitimate reason.
     
    Upvote 0
    V

    VolvicSF

    Free Member
    Oct 28, 2019
    3
    0
  • #3
    Mike Kilby PC.dp said:
    Firstly before I can answer this, I need to know whether the offices outside the EU are part of the same legal entity in the UK, or if they are separate companies (not just trading under the same name or "known as" the same name).

    In essence, any access to data outside the EU is an international transfer, even if it is simply displayed on screen. There does not have to be a physical transfer for it to be classed as an International Transfer.

    You would not put Standard Contractual Clauses in customer contracts, these will only apply to suppliers who process data on behalf of your business, or who you share it with for some legitimate reason.
    Click to expand...

    Hi Mike

    Thanks for your reply

    The offices outside the EU are separate companies but 100% owned by the UK company. The same applies to our other companies in the EU. All companies will have access to personal data.
     
    Upvote 0
    M

    Mike Kilby PC.dp

    Free Member
    Jul 11, 2018
    227
    40
    Northampton, UK
  • #4
    Ok, if they are separate companies, you will need to put in place Standard Contractual Clauses within contracts or data processing agreements between the UK company and the international companies. Even thought they are owned by the UK company, for "international transfers" purposes they are treated as separate legal entities.

    I should also point out (as you said you may have customers from the EU) that if you have customers in the EU after the UK leaves Europe, and we leave without a deal, you will need SCC's for any transfers from the EU to the UK and from the EU to the international locations too.
    Transfers from the UK to Europe will still continue "as-is" because the UK considers Europe adequate, but Europe don't consider us adequate.


    The SCC's available on the ICO website (https://ico.org.uk/media/2553983/ico-guidance-controller-to-processor.docx) will cover all the legal documentation aspects, but must be used without any editing of the clauses. The template is pretty easy to follow.

    You will however need to ensure that your UK business's processes and the processes you expect the international companies/employees to follow are enforced. For example, is anyone accessing records that they shouldn't need to (e.g. there was no support call or support email received when Mr X accessed a customers record, therefore he shouldn't have been accessing it).

    You don't want to end up in a "talk talk" scenario, where some 'contractor' decides to take your customer's personal data and sell it or give it to someone else for their own purposes without your knowledge or consent.

    Personally I would advise against allowing anyone to "download" data unless it's obviously needed, such as log files; and make sure you can prevent access to information, even on a field by field level where possible, based on actual necessity to see it.
    The likes of Sky do this, ensuring that call centre agents cannot see any personal data until the customer has completed security questions, and even then their view may be restricted to only that which they need to do their job, hence why they often have to "escalate" to a manager or another department if a customer deviates from the norm.
     
    Upvote 0
    V

    VolvicSF

    Free Member
    Oct 28, 2019
    3
    0
  • #5
    Mike Kilby PC.dp said:
    Ok, if they are separate companies, you will need to put in place Standard Contractual Clauses within contracts or data processing agreements between the UK company and the international companies. Even thought they are owned by the UK company, for "international transfers" purposes they are treated as separate legal entities.

    I should also point out (as you said you may have customers from the EU) that if you have customers in the EU after the UK leaves Europe, and we leave without a deal, you will need SCC's for any transfers from the EU to the UK and from the EU to the international locations too.
    Transfers from the UK to Europe will still continue "as-is" because the UK considers Europe adequate, but Europe don't consider us adequate.


    The SCC's available on the ICO website will cover all the legal documentation aspects, but must be used without any editing of the clauses. The template is pretty easy to follow.

    You will however need to ensure that your UK business's processes and the processes you expect the international companies/employees to follow are enforced. For example, is anyone accessing records that they shouldn't need to (e.g. there was no support call or support email received when Mr X accessed a customers record, therefore he shouldn't have been accessing it).

    You don't want to end up in a "talk talk" scenario, where some 'contractor' decides to take your customer's personal data and sell it or give it to someone else for their own purposes without your knowledge or consent.

    Personally I would advise against allowing anyone to "download" data unless it's obviously needed, such as log files; and make sure you can prevent access to information, even on a field by field level where possible, based on actual necessity to see it.
    The likes of Sky do this, ensuring that call centre agents cannot see any personal data until the customer has completed security questions, and even then their view may be restricted to only that which they need to do their job, hence why they often have to "escalate" to a manager or another department if a customer deviates from the norm.
    Click to expand...

    Mike, thank you very much for your valued advice, much appreciated :) This is very helpful.
     
    Upvote 0
    Log in to reply

    Latest Articles

    Top Bottom
    Community
    Articles
    Menu