The EU has special rules (including EU standard contractual clauses) for what you need to do when sending personal data in and out of the EU.
Many small businesses don’t realise this and share data in and out of the EU without the appropriate processes in place.
Are you processing personal data?
Sitting at your desk viewing data without changing it at all is ‘processing data’ from the EU and GDPR point of view.
You don’t have to change it or upload it to a database to be processing it.
What if we are both in the EU/EEA?
If you and your client (or you and your associate are both in the EU/EEA) you will need a contract, a written data processing agreement, and proper security to share personal data. The member states are viewed by the EU as having adequate data privacy protection.
If you are sharing high-risk data or special category data you will need to do a lot more – but we are covering the basics here.
These documents are in your KoffeeKlatch folder if you are using our Global contract range and enable you both to sit down over a Zoom call and work out what you are going to do.
You can find a list of member countries here https://www.gov.uk/eu-eea .
What if one of you is not in the EU/EEA?
The EU has a system of approving the data privacy standards of countries not in the EU/EEA. The EU makes a finding of ‘adequacy’.
You can find a list of countries whose data privacy systems are accurate here:
The UK was also granted adequacy status this summer.
Check this list as you take on new associates and clients. Countries are added and removed.
Transfers between you and your client or you and your team when you are both in countries with ‘adequate’ data privacy laws do not normally require any additional steps beyond the basics set out above.
Transfers to ‘non-adequate countries’ need EU standard contractual clauses.
The EU requires the use of ‘EU standard contractual clauses ‘ (SCCs) The first version existed from the start of GDPR but those documents are no longer valid from 27 September. You must use the new version.
The clauses are written by committee and very much aimed at large corporations. But they still apply to you.
The USA was ‘adequate’ a while ago using the Data Privacy Shield, but this finding has now been revoked and the USA is no longer regarded as an adequate country. There are many countries we routinely share data with that are not on the list!
KoffeeKlatch Global contracts have new EU standard contractual clauses
If you are sharing data across borders in and out of a non-adequate country you will need to update your SCCs. This is trickier than it looks since the new versions require you to choose from various options depending on whether you are a data controller, data processor, or sub-data processor and whether you are exporting or importing data (or both).
Most KoffeeKlatch clients are importing and exporting data since it is usual to view it and amend it and pass it back and forth.
We are dropping new documents in the KoffeeKlatch zone, along with new videos explaining how to use your revised EU data processing form. If you are a customer within your support period you will be getting an email (and an announcement in the customer support group letting you know your documents are there0.
What is the UK doing?
The UK has consultation documents out which talk about creating UK versions of standard contractual clauses and having a separate list of adequate countries. Once these arrangements are finalising we will be adding the necessary documents to the KoffeeKlatch Zone.
Don’t ignore this
If the whole thing makes your headache – I don’t blame you! But please don’t ignore this update if it applies to you.
Your professional indemnity insurance may not be valid if you are working on the old terms, or none at all.
KoffeeKlatch’s range of global contracts is designed for you to issue to your customers, with separate team contracts to issue to the people you pay. Helping your microbusiness comply without making you wade through all the jargon to do so. Keeping those ducks in a row.
For more information on our global range click here: https://www.koffeeklatch.co.uk/global/
