Are you being asked to sign model clauses because of Brexit?

GDPR and Brexit During Transition

Share This Post

As the Brexit turmoil continues in the UK with the UK government still to agree on an appropriate way forward, EEA businesses are gearing up for a no-deal Brexit.

When that comes to data protection, as we’ve discussed before, Brexit, particularly a no-deal Brexit could have implications for your businesses if you’re processing EU citizen’s data at the request of an EU data controller. Simply put, in a no-deal scenario the UK would be a “third country” and any EU to UK data flows would be seen as restricted transfers under GDPR. This is because it is unlawful to transfer data outside the EU unless appropriate safeguards are in place; these safeguards are usually:

  • An EU adequacy decision
  • An EU agreement with the country that binds businesses in that country to EU standards of data protection (e.g. the EU-US Privacy Shield agreement)
  • The use of legally binding contracts, by using “model clauses” dictated by the EU in their regulations

In the event of a no-deal Brexit there will be no adequacy agreement in place, nor will there be any agreement which just leaves the contractual route.

The use of standard data protection clauses (or model clauses as they’re sometimes referred) basically requires a “cut and paste” of one of the EU’s Standard Contractual Clauses into an agreement between both parties.

With more and more businesses across the EU (not just the UK) preparing for a no-deal Brexit we’re beginning to see some UK companies being asked to sign model clauses in anticipation of a no-deal Brexit. Without these contracts in place, basically EU to UK data flows would have to stop.

The question is, should you sign them?

Well this depends. Arguably, it’s still uncertain whether we’re leaving the EU on the 12th April 2019, 22nd May 2019 or some other time, not at all, with a deal or with no deal, so you could say that you should only need to worry about them once it’s clear that a no-deal is imminent (and definite) and so you would be within your rights to not sign them just yet.

But if this isn’t practical then provided the contracts you’re being asked to sign are literally the EU’s model clauses then in theory signing them is binding your organisation to EU data protection standards which of course, whilst we’re still in the EU (even if the withdrawal agreement is signed and we enter the transition period), you are bound to anyway. But this is only going to be the case if the contract is simply the model clauses – if your client has added something extra, or done something different then you may need to be careful what you’re signing.

What to look out for

Check that these really are the EU’s Standard Contractual Clauses you’re being asked to sign and that you’re not being asked to sign something different or indeed you don’t need to, because your client has misunderstood the rules.

Need help?

Then you need to join the Digital Compliance Hub – not only have we produced some guidance information about Brexit, EU to UK data flows and what to do about being asked to sign model clause contracts, but we’ve also launched for members a model clause review service – a simple sanity check that you really are signing the right thing. Plus, of course Hub members get access to phone and email support should they have any specific Brexit, model clause or other data protection issues. Get on board yourself – it’s like having your own Data Protection Manager but without the cost of hiring a DPO.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy