International Data Transfers
Does this affect you?
In our increasingly global world, it will be the rule rather than the exception that personal data leaves the UK and EU borders and the speciality finance market is no different. We have set out below common data transfers within a speciality finance transaction:
- You are a UK based specialist lender and you transfer personal data to non UK/EU investors (such as those based in the US) pursuant to an asset sale agreement or in accordance with your debt facilities (including on perfection or enforcement). The transfer of personal data or the granting of access to such personal data (even if the data does not physically leave UK or EU soil) to such investors will constitute a data transfer and you should consider whether you are required to: (i) ensure that the data transfer is compliant with recent case law and guidance; and (ii) incorporate data transfer provisions and safeguards into the relevant agreements.
- You are a non UK/EU based investor based in the US: as an investor you may receive various categories of personal data from a UK/EU specialist lender. Those UK/EU specialist lenders are required to assess the laws and practices of the US as they apply to your organisation to determine whether its transfer to you has the same level of protection in the US as would be in the UK/EU; this is known as a transfer risk assessment (“TRA”).
- Your UK/EU company sits within a wider group of companies and you make routine intra-group transfers of personal data to your parent company or subsidiaries overseas or your parent company/subsidiaries have access to your systems.
How does it affect you?
For UK/EU specialist lenders or companies with an overseas parent or subsidiary, you will need to implement an international data transfers compliance project and before undertaking any transfers of personal data from the EU or UK to a country which has not been granted an adequacy decision by the EU or UK you will need to consider:
- incorporating the new EU standard contractual clauses or the UK’s IDTA/Addendum as applicable into your transaction documents;
- undertaking a TRA; essentially assessing the laws and practices of the country to which personal data is being sent; and
- implementing supplementary measures (technical, organisational and/or contractual in nature) to address any risks identified.
Organisations can no longer simply append standard contractual clauses to a contract; instead any data transfer and the laws of the recipient country must be thoroughly scrutinised and assessed before proceeding.
For US investors, you may receive requests from UK/EU specialist lenders for: (i) information about any onwards transfers you make of that personal data and previous requests you may have received from governmental or public authorities for access to personal data; and (ii) assistance in completing TRAs. The ability to react swiftly and with confirmation of compliant policies and procedures to such requests will help foster a productive and viable relationship for planned transactions.
What should an international data transfers compliance project entail?
We have mapped out below the different stages of an international data transfers compliance project.
|Data mapping||Defining data transfers strategy||Preparation of template key documents|
This is the exercise of identifying all international data transfers, internal and external.
To enable your organisation to do this:
- business stakeholders may need assistance, training or guidance or flow charts to help them identify a restricted transfer; and
- review and update your existing third party due diligence questionnaires/process to ensure the relevant information is obtained.
This will involve:
- determining whether you treat UK and EU transfers separately or adopt a combined approach;
- defining your organisation’s risk profile and methodology;
- determining approach for prioritisation in respect of (i) existing and new transfers; and (ii) type of transfer, based on risk framework;
- determining approach for onwards transfers; and
- implementing an approach for operationalisation and risk acceptance/sign of
Key documents will include:
- transfer impact assessments/transfer risk assessments;
- jurisdictional risk assessments for certain key jurisdictions;
- playbook of data transfer contractual wording incorporating the relevant data transfer mechanism; and
- a menu of supplementary measures and guidance for implementation.
- Integrated within our Speciality Finance practice we have sector expects from our dedicated Data Protection practice who can help our clients navigate this new area of data protection compliance.
- The nature of any international data transfers compliance project is cross border; spanning numerous jurisdictions and data protection laws. At Ashurst, we have our own privacy experts across the world and we have a network of overseas data protection counsel to enable us to advise on data transfers to all jurisdictions.
- We have created template jurisdictional risk assessments for key/high risk jurisdictions which we are happy to share and tailor for the particulars of your transfers. The output for you would be a bespoke jurisdictional risk assessment.
- We have our own in-house standard contractual clauses generator which can also incorporate the UK Addendum for those scenarios involving an EU and UK transfer.
- We can provide a fully tailored and bespoke package to meet your needs, flexing up or down as needed. This could take the form of:
- providing a full end to end international data transfers compliance offering, working with you at every stage;
- you picking and choosing elements which your organisation needs support on;
- Ashurst taking a project management and governance role for example: working with your organisation to embed its own established processes and policies for data transfers; training up employees on completing transfer risk assessments/transfer impact assessments and/or negotiating contracts with data transfer provisions;
- providing training on data transfers/Schrems II to legal and compliance teams;
- creating bespoke template documents; or
- coordination of our global employees or network of overseas data protection counsel to conduct jurisdictional risk assessments.
Our dedicated data protection practice has successfully advised multiple clients
- A FTSE 100 company in relation to its risk appetite for international transfers, helping it form a strategy which meets its own risk tolerance
- A UK insurer on the scope of its international data transfers compliance project and providing strategic advice on its approach to categorisation of data transfer assessments
- A global software testing company in relation to its compliance with European data protection laws and an intra-group international data sharing agreement
- A leading challenger bank in relation to a data transfer impact assessment involving the supplier’s Indian affiliate having access to over 200,000 customer records. Based on our assessment and advice, the client implemented a number of supplementary measures to manage the risk arising from the transfer from the UK to India
- A global insurance and reinsurance company supporting on all aspects of its international data transfers compliance project by acting as an extension of its Legal/Privacy team. This resulted in various workstreams ranging from the creation and operationalisation of a TIA template to defining the client’s risk profile and methodology and onwards transfers strategy
- A leading global investor in relation to the data protection provisions in various fund documents and the provision of advice relating to international transfers of personal data