As the UK prepares to leave the EU, this note provides insight into specific considerations and related actions that Rhetorik has developed to ensure continuous compliance and best practice in the matter of Data Privacy of Personal Data (in the form of Business Card Information) during the Brexit Transition Period.
The actions here presented refer exclusively to Rhetorik’s position as Data Controller and 3rd Party Data Provider of all data contained in NetFinder™ and NetFinder+™ Database.
Rhetorik data processing interest is solely in the Business to Business field which, in some countries, means organisations are allowed to conduct direct marketing activities on an opt-out basis.
In the course of the transition period “the government intends to incorporate the GDPR into UK data protection law when we exit the EU – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.” https://ico.org.uk/for-organisations/data-protection-and-brexit/information-rights-and-brexit-frequently-asked-questions/
Any other specific and relevant actions in relation to Rhetorik as Data Processor are covered by individual License Agreements and specific Data Processing Agreements completed at the moment of engagement with a licensee (customer).
The following information does not represent legal advice to our customers, and we encourage you to seek independent advice to ensure you remain compliant as the UK goes through the process of leaving the EU.
Rhetorik Processing of Personal Data (Business Card Information)
Data Subjects: General
For the purpose of Rhetorik’s processing, the location of the Business to which the Business Card Owner (Data Subject) is linked determines the legislation that applies.
UK Businesses and their Data Subjects: Rhetorik is compliant with the GDPR and PECR therefore UK-resident data subjects will continue to benefit from the highest form of protection and compliance.
Irish and other EU Businesses and their Data Subjects: Rhetorik Ltd will continue to process Irish personal data according to GDPR and DPA requirements.
- A specific Data Processing Agreement is in place with providers of EU and UK resident personal data to provide “appropriate safeguards” for EU and UK data subjects.
- Standard Contractual Clauses are being implemented to replace and/or enhance protection of rights of EU resident data subjects
- Rhetorik notifies all EU data subjects to ensure they have been informed that Rhetorik in the UK is processing their personal data (in the form of Business Card Information) connected to the data subject’s business address located in the EU
Other non-EU Businesses and their Data Subjects: Rhetorik compliance with GDPR, PECR, DPA and other e-privacy and data protection legislation provides Data Subjects (Business Cards Owners) with one of the highest forms of right and security executed worldwide. Furthermore, Rhetorik complies with local legislation, providing notice and registration as required.
No change to such practices will occur in the course of the Transition Period. Further updates from the ICO in regard to specific agreements will be executed in a timely manner as it will be prescribed by the relevant legislation.
Processing 1: Storage
The NetFinder™ database, of which Rhetorik is Data Controller, is hosted in the EU and processed in the UK and Canada.
The personal data (in the form of Business Card Information) controlled by Rhetorik Ltd, is hosted on cloud-based servers in the EU.
The UK government has confirmed that transfers of data from the UK to the European Economic Area (EEA) will not be restricted, therefore we can continue to transfer data from our processing sites to the hosting sites in the EU.
During the transition period, the UK will continue to be covered by the GDPR as if it was still an EU member state. This is expected to last for 1 year or more and means there will be no change to GDPR transfer rules from the EEA into the UK during this period.
Further appropriate safeguards in the form of Standard Contractual Clauses will be in place to ensure that both sending and receiving parties of the transfer have entered into a contract incorporating standard data protection clauses adopted by the European Commission.
Processing 2: collection, recording, organisation, structuring, adaption and alteration, retrieval, consultation, use, erasure or destruction
Rhetorik processes Business Card Information of employees of businesses resident in the UK , EU and Non-EU countries
Each Business Card listed in Netfinder and NetFinder+ is associated with a “physical” Business Address.
UK Processing: All Rhetorik UK staff are fully trained on the requirements for the processing of personal data to comply with the GDPR, PECR and other local E-Privacy laws.
The UK government intends to incorporate the GDPR into UK data protection law when the UK exits the EU. New data protection regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context from exit day.
Canada: Rhetorik Solutions Canada is a subsidiary of Rhetorik Ltd. As per Art.45 of GDPR processing to a 3rd country/territory, the European Commission has determined Canada to provide an adequate level of data protection. All Canadian staff are fully trained on the requirements for the processing of personal data (in the form of Business Card Information) to comply with the GDPR and PECR and other local E-Privacy laws.
USA: Some members of the management team of Rhetorik Ltd are located in the USA. For any access from the USA to personal data (in the form of Business Card Information) controlled and processed by Rhetorik, adequacy decision and a specific DPA has been drafted as per the GDPR requirements.
All 3 data processing centres follow the guidelines provided on data retention and destruction as defined by Rhetorik’s Data Privacy Policies.
Processing 3: retrieval, consultation, use, transmission, dissemination (Transfer to Licensee)
“The UK government intends to recognise the EU adequacy decisions which have been made by the European Commission prior to the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.”
Licensee resident in UK
Licensee resident in EU/EEA
Licensee resident outside UK/EU
UK Personal Data
|compliance with GDPR and PECR will remain in place
|The UK government has stated that transfers to the EEA will not be restricted, therefore we can continue to transfer data from Rhetorik Ltd in the UK to licensees in the EEA.||GDPR Adequacy decision applies. Standard Contractual Clauses will apply in addition to usual standard Rhetorik contract.|
EU Personal Data
|Covered by our Notice, no further actions required.
|Covered by our Notice, no further actions required.
|GDPR Adequacy decision applies. Standard Contractual Clauses will apply in addition to usual standard Rhetorik contract.|
Non-EU Personal Data
|Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations||Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations||Data Subject will be notified of Rhetorik processing and granted privacy rights as required by local regulations|