The UK and GDPR post-Brexit
Now that the UK has left the EU, this note provides insight into specific considerations and related actions that Rhetorik has developed to ensure continuous compliance and best practice in the matter of Data Privacy of Personal Data.
Now that the UK has left the EU, this note provides insight into specific considerations and related actions that Rhetorik has developed to ensure continuous compliance and best practice in the matter of Data Privacy of Personal Information.
The actions presented here refer exclusively to Rhetorik’s position as Data Controller and 3rd Party Data Provider of all data contained in NetFinder™ Database.
Rhetorik’s data processing interest is solely in the Business to Business field which, in some countries, means organisations are allowed to conduct direct marketing activities on an opt-out basis.
“As the government has incorporated the GDPR into UK data protection law, there has been little change in the UK to the core data protection principles, rights and obligations found in the GDPR.”
https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/overview-data-protection-and-the-eu/
Any other specific and relevant actions in relation to Rhetorik as Data Processor are covered by individual License Agreements and specific Data Processing Agreements completed at the moment of engagement with a licensee (customer).
The following information does not represent legal advice to our customers, and we encourage you to seek independent advice to ensure you remain compliant as the UK’s legal framework may begin to diverge from that of the EU.
Rhetorik Processing of Personal Information
Data Subjects: General
For the purpose of Rhetorik’s processing, the location of the Business to which the Data Subject is linked determines the legislation that applies.
UK Businesses and their Data Subjects: Rhetorik is compliant with the GDPR 2016, the UK Data Protection Act 2018 and the Privacy & Electronic Communications Regulations (PECR) therefore UK-resident data subjects will continue to benefit from the highest form of protection and compliance.
EU Businesses and their Data Subjects: Rhetorik Ltd will continue to process EU personal data according to the GDPR and other relevant requirements.
- A specific Data Processing Agreement is in place with providers of EU and UK resident personal data to provide “appropriate safeguards” for EU and UK data subjects.
- Standard Contractual Clauses are being implemented to replace and/or enhance protection of rights of EU resident data subjects
- Rhetorik notifies all EU data subjects to ensure they have been informed that Rhetorik in the UK is processing their personal data connected to the data subject’s business address located in the EU
Other non-EU Businesses and their Data Subjects: Rhetorik compliance with GDPR, PECR, DPA and other e-privacy and data protection legislation provides Data Subjects with one of the highest forms of right and security executed worldwide. Furthermore, Rhetorik complies with local legislation, providing notice and registration as required.
No change to such practices will occur following the departure of the UK from the EU. Further updates from the ICO in regard to specific agreements will be executed in a timely manner as prescribed by the relevant legislation.
Processing 1: Storage
The NetFinder database, of which Rhetorik is Data Controller, is hosted in the EU and processed in the UK and Canada.
The personal data controlled by Rhetorik Ltd, is hosted on cloud-based servers in the EU.
The UK government has confirmed that transfers of data from the UK to the European Economic Area (EEA) will not be restricted, therefore we can continue to transfer data from our processing sites to the hosting sites in the EU.
The EU has granted the UK adequacy status, which means there will be no change to GDPR transfer rules from the EEA into the UK.
Further appropriate safeguards in the form of Standard Contractual Clauses will be in place to ensure that both sending and receiving parties of the transfer have entered into a contract incorporating standard data protection clauses adopted by the European Commission.
Processing 2: collection, recording, organization, structuring, adaption and alteration, retrieval, consultation, use, erasure or destruction
Rhetorik processes Personal Information of employees of businesses resident in the UK, EU and Non-EU countries
Each organization staff member listed in Netfinder is associated with a “physical” Business Address.
UK Processing: All Rhetorik UK staff are fully trained on the requirements for the processing of personal data to comply with the GDPR, PECR and other local E-Privacy laws.
New data protection regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context.
Canada: Rhetorik Solutions Canada is a subsidiary of Rhetorik Ltd. As per Art.45 of GDPR processing to a 3rd country/territory, the European Commission has determined Canada to provide an adequate level of data protection. All Canadian staff are fully trained on the requirements for the processing of personal data to comply with the GDPR and PECR and other local E-Privacy laws.
USA: Some members of the management team of Rhetorik Ltd are located in the USA. For any access from the USA to personal data controlled and processed by Rhetorik, a specific DPA has been drafted as per the GDPR requirements.
All Rhetorik data processing centres follow the guidelines provided on data retention and destruction as defined by Rhetorik’s Data Privacy Policies.
Processing 3: retrieval, consultation, use, transmission, dissemination (Transfer to Licensee)
“The UK government intends to recognize the EU adequacy decisions which have been made by the European Commission prior to the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.”
| Licensee resident in UK | Licensee resident in EU/EEA | Licensee resident outside UK/EU | |
|---|---|---|---|
| UK Personal Data | Covered by our "fair processing" notice. Compliance with GDPR and PECR will remain in place. | The UK government has stated that transfers to the EEA will not be restricted, therefore we can continue to transfer data from Rhetorik Ltd in the UK to licensees in the EEA. | GDPR Adequacy decision applies. Standard Contractual Clauses will apply in addition to usual standard Rhetorik contract. |
| EU Personal Data | Covered by our "fair processing" Notice, no further actions required. | Covered by our "fair processing" Notice, no further actions required. | GDPR Adequacy decision applies. Standard Contractual Clauses will apply in addition to usual standard Rhetorik contract. |
| Non-EU Personal Data | Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations. | Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations. | Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations. |
Official Links
- https://www.gov.uk/government/publications/european-economic-interest-groupings-eeigs
- https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/overview-data-protection-and-the-eu/
- https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf
- https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en