Buck Bond Group

GDPR and Pension Schemes: Transfers Outside the European Union (and to the EU Post-Brexit)

by and Tags:

Volume 2017 | Issue 65

Download this FYI as a printable PDF

The General Data Protection Regulation (GDPR) imposes restrictions on the transfer of personal data from the European Union / European Economic Area (referred to as transfers to a third country or international organisation), in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. This includes onward transfers of personal data from the third country to controllers or processors in the same or another third country.

A new Data Protection Bill will be published in September to bring EU law into UK domestic law and it is intended that this Bill will be consistent with the GDPR “to help ensure the safe flow of data between the UK and key markets, such as the US and the EU”[1].

This is the sixth in a series of six briefing notes about the General Data Protection Regulation that takes effect in the UK from 25 May 2018.

Transfers on the Basis of an Adequate Level of Protection

The European Commission may decide that a third country, a territory or one or more specified sectors within that third country, or an international organisation ensures an adequate level of protection. In this case a transfer of personal data to such a destination will not require any specific authorisation (i.e. without any further safeguard being necessary). However, adequacy means having data protection laws that are essentially equivalent to those in the GDPR.

It is understood that the current adequacy findings will continue in the short term but as there are very few adequacy findings it is considered unlikely that many more will be made. Countries covered are: Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. These have to be reviewed at least every four years.

In July 2016 the European Commission adopted a framework for dealing with transfers of personal data to the United States – the EU-U.S. Privacy Shield. This is a replacement for the US Safe Harbour framework which was ruled invalid by the European Court of Justice. It is not clear if the Privacy Shield will be subject to further legal challenge, although it potentially covers a wide range of transfers.

Transfers Subject to Appropriate Safeguards

Where an adequacy finding is not in place, a controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards and on condition that individuals’ rights are enforceable and effective legal remedies are available. There are a number of ways of providing appropriate safeguards (e.g. by a legally binding agreement between public authorities or bodies, via standard data protection clauses adopted by the European Commission, via an approved code of conduct).

Are there any specific situations where a transfer may be allowed?

Conditions that must be met
Individual has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards.
Transfer is necessary for the performance of a contract between the individual and the controller or implementation of pre-contractual measures taken at the individual’s request.
Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the controller and another living or legal person.
Transfer is necessary for important reasons of public interest.
Transfer is necessary for the establishment, exercise or defence of legal claims.
Transfer is necessary in order to protect the vital interests of the individual or of other persons, where the individual is physically or legally incapable of giving consent.
Transfer is made from a register which under UK or EU law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.

 

The GDPR also allows infrequent transfers involving only a limited number of individuals provided certain conditions are met (i.e. it is necessary for the purposes of a compelling legitimate interest of the controller, not overridden by the interests or rights and freedoms of the individual, provided that the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards to protect the personal data). The supervisory authority and the individual will have to be notified of the transfer.

Brexit and Data Protection

On 7 August 2017 the Department for Digital, Culture, Media & Sport published a Statement of Intent about a new Data Protection Bill. The Statement makes the point that the GDPR requires some modification to make it work for the benefit of the UK and that this new Data Protection Bill will make the necessary changes. It will repeal the Data Protection Act 1998.

In relation to transfers, the Statement explains that the government will be seeking to ensure that data flows between the UK and the EU, and also appropriately between the UK and third countries and international organisations, remain uninterrupted after the UK’s exit from the EU.

Impact on Pension Schemes

This will most likely be relevant where a pension scheme administrator outsources some or all of its processing functions to a third party (or a subsidiary or branch) outside the European Economic Area (EEA). Even if the data isn’t physically transferred but can be accessed from outside the EEA this will be treated as a transfer.

Transfers with the consent of an individual may be appropriate in some limited situations, but on the whole, obtaining the consent of members before a transfer is made will be extremely difficult.

Recommended Actions for Employers and Trustees

  • Consider what personal data may be being processed outside the EEA (i.e. has been transferred) or may be transferred in future and include details on the data mapping record.
  • Identify any contracts with service providers that may contain terms relating to international transfers and consider whether these are compliant with the GDPR.
  • Take legal advice where appropriate to ensure any transfers are compliant.
  • Monitor the implications of the new Data Protection Bill on transfers outside the EEA before the UK leaves the EU and to the EEA once the UK has left the EU.

Further Reading

Types of Personal Data

Personal data Special categories of personal data (‘sensitive data’) Pseudonymous data

This is any information relating to a living individual who can be identified (directly or indirectly) by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The definition is more expansive than that under the Data Protection Act 1998, reflecting changes in technology (e.g. an IP address is deemed to be personal data).

This replaces the current definition of sensitive personal data, but is essentially the same. It would include:

  • personal data that reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership
  • genetic data (inherited or acquired genetic characteristics)
  • biometric data (specific technical processing relating to physical, physiological or behavioural characteristics)
  • data concerning a person’s physical or mental health (including the provision of health care services, which reveal information about health status)
  • data concerning a person’s sex life or sexual orientation.

The GDPR generally prohibits processing of this personal data without the individual’s explicit consent.

This is a new category of data. The personal data is processed in such a manner that it cannot be attributed to a specific individual without the use of additional information. The additional information must be kept separately and subject to technical and organisational measures to ensure the data is not attributed to an identified or identifiable person.

[1] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf