Pension schemes with an administrator that accesses personal data from outside of the European Economic Area (EEA) should check their compliance with data control regulations, according to Squire Patton Boggs (SPB).
This follows a ruling by Court of Justice of the EU (CJEU), which on 16 July invalidated the EU Commission’s adequacy judgement of the EU-US Privacy Shield Framework, which is one of the primary safeguards adopted by US service providers dealing with EU data.
A blog from SPB noted that CJEU also confirmed the validity of Standard Contractual Clauses (SCC), another primary safeguard used by US service providers, but cautioned that their legality must considered on a case-by-case basis.
SPB director, Francesca Fellowes, wrote: “Although the issue before the CJEU in Schrems II was the transfer of data between the EU and the US, the implications of the court’s judgment are far-reaching and could also impact transfers between the EU and other ‘non-adequate’ countries, including EU-China transfers and, post-Brexit, EU-UK transfers.”
SPB warned that all organisations in the UK, including pension trustees, should carry out due diligence on the international transfers of their personal data, starting by identifying all transfers of personal data outside the EEA, before checking that the data transfer mechanisms used enable the transfers to comply with EU and UK data protection laws.
While the European Data Protection Board is expected to issue updated guidance shortly, it was recommended that trustees review their scheme’s data map and service agreements to identify transfers of personal data outside the EEA and ask the relevant suppliers to provide pertinent information.
If transfers have taken place with US-based companies using the Primary Shield, SCCs may have been used as a backup and SPB recommended that an assessment should be carried out to ensure that the US firm can adhere to the requirements of said SCC.
“Reliance on a data mapping exercise in 2017/18 will not be sufficient – we recommend that trustees ask all their service providers at least annually to confirm compliance with contractual terms and that there have been no material changes to the information provided for the initial data map, but this is an additional assessment that needs to be carried out,” said Fellowes.
Latest News
-
LGPS valuation and employer contribution review confirmed
-
Zedra partners with Heka Global to use AI to trace missing members
-
Majority of UK adults to adjust estate planning ahead of IHT rule change
-
This week in pensions: 17-21 February 2025
-
News in brief - 21 February 2025
-
TPR confirms changes to master trust supervision
Being retirement ready
Gavin Lewis, Head of UK and Ireland Institutional at BlackRock, talks to Francesca Fabrizi about the BlackRock 2024 UK Read on Retirement report, 'Ready or not. How are we feeling about retirement?’
Time for CDI
Laura Blows speaks to AXA Investment Managers (AXA IM) senior portfolio manager for fixed income, Rob Price, about cashflow-driven investing (CDI) in Pensions Age’s latest video interview
The role of CDC
In the latest Pensions Age podcast, Laura Blows speaks to TPT Retirement Solutions Chief Client Strategy Officer, Andy O’Regan, about the role of collective DC (CDC) within the UK pensions space
Keeping on track
In the latest Pensions Age podcast, Sophie Smith talks to Pensions Dashboards Programme (PDP) principal, Chris Curry, about the latest pensions dashboards developments, and the work still needed to stay on track
© 2019 Perspective Publishing Privacy & Cookies
Recent Stories