New compliance requirements for cross-border transfers of EU and UK data subjects

What are the changes?

The legality of some of the common methods of cross-border transfers of European Union (EU) and United Kingdom (UK) data subjects has changed under the General Data Protection Regulation (GDPR).

As a result, for EU data to be transferred legally across borders to Australia and the US (where Lexer’s data centres are located), parties exchanging data need to have in place a specific data processing addendum which includes the “Standard Contractual Clauses” (SCCs) drafted by the European Commission.

The UK also has its own GDPR equivalent laws following Brexit, so the same issue will also impact those conducting cross-border transfers of UK data subjects, and can be remedied by the same method, plus an additional UK annexure.

Will this affect me?

If you hold personal data about residents of the European Economic Area (EEA) or the United Kingdom (UK), this change will affect you.

Since Lexer’s data centres are located in the US and Australia, clients of Lexer holding personal data from EU and UK residents will be impacted.

What does this mean for my business?

There is a compliance risk under the GDPR and UK equivalent Data Protection Act if you conduct cross-border data transfers between the EEA/UK and Australia/US without taking the recommended action (see What do I need to do next?).

What do I need to do next?

Lexer has published a new Data Processing Addendum (DPA) on our website, which incorporates the most up-to-date version of the SCCs. To ensure your own compliance, this document needs to be agreed to by 27 December 2022.

Our clients that hold the personal data of EU residents can now enter into our new DPA to ensure compliance with the GDPR.

For our clients who hold the personal data of UK residents, our DPA also includes an optional International Data Transfer Agreement (IDTA) covering the UK-equivalent privacy laws.

If:

  • you have a separate written agreement with us that uses another form of Data Processing Addendum (e.g. your version);
  • your MSA with us does not refer to our online version of the Data Processing Addendum as may be amended from time to time;
  • your alternative data processing agreement includes the SCCs as existed prior to 4 June 2021; or
  • you are unsure whether your data processing agreement terms are up to date with the current version of SCCs,

We strongly recommend that you click here to accept in writing Lexer’s new DPA, which includes the new SCCs and IDTA by 27 December 2022.

Please note that any client is free to update their DPA with us.

While this is an opt-in process, it is highly recommended because the cross-border transfers of data to Lexer without a current DPA in place is a compliance risk for our clients.

How widespread is this change? Why haven’t I heard about this from other suppliers?

This change affects all cross-border transfers of personal data to Australia and the US, and all data processing agreements which were based on the previous version of the SCCs, which are now being phased out and all such agreements need to be on the new SCCs by 27 December 2022.

If you haven’t heard from other suppliers about this change, it may be for a number of reasons. They may have data centres located in the EU/UK or a country considered by the EU to have equivalent protective status (e.g. New Zealand), or they may have made a unilateral change to their online data processing addendum without seeking your consent.

We have chosen to communicate with our clients to inform them of this change, and, once informed, to ask you to accept these new terms.

How can I get more information?

If you have questions about the SCCs, IDTA and Lexer’s Data Processing Addendum, please refer this information to your Legal, Privacy or Compliance department, and you can also email [email protected] with any questions you might have.

Here are also some additional external resources if you would like to conduct further research into the changes: