Pension schemes with an administrator that accesses personal data from outside of the European Economic Area (EEA) should check their compliance with data control regulations, according to Squire Patton Boggs (SPB).
This follows a ruling by Court of Justice of the EU (CJEU), which on 16 July invalidated the EU Commission’s adequacy judgement of the EU-US Privacy Shield Framework, which is one of the primary safeguards adopted by US service providers dealing with EU data.
A blog from SPB noted that CJEU also confirmed the validity of Standard Contractual Clauses (SCC), another primary safeguard used by US service providers, but cautioned that their legality must considered on a case-by-case basis.
SPB director, Francesca Fellowes, wrote: “Although the issue before the CJEU in Schrems II was the transfer of data between the EU and the US, the implications of the court’s judgment are far-reaching and could also impact transfers between the EU and other ‘non-adequate’ countries, including EU-China transfers and, post-Brexit, EU-UK transfers.”
SPB warned that all organisations in the UK, including pension trustees, should carry out due diligence on the international transfers of their personal data, starting by identifying all transfers of personal data outside the EEA, before checking that the data transfer mechanisms used enable the transfers to comply with EU and UK data protection laws.
While the European Data Protection Board is expected to issue updated guidance shortly, it was recommended that trustees review their scheme’s data map and service agreements to identify transfers of personal data outside the EEA and ask the relevant suppliers to provide pertinent information.
If transfers have taken place with US-based companies using the Primary Shield, SCCs may have been used as a backup and SPB recommended that an assessment should be carried out to ensure that the US firm can adhere to the requirements of said SCC.
“Reliance on a data mapping exercise in 2017/18 will not be sufficient – we recommend that trustees ask all their service providers at least annually to confirm compliance with contractual terms and that there have been no material changes to the information provided for the initial data map, but this is an additional assessment that needs to be carried out,” said Fellowes.
Recent Stories