On the 29th March 2019, the United Kingdom is planning to leave the European Union. Exclaimer have been busy preparing for this eventuality, to primarily ensure that all existing data protection laws continue to be adhered to. The following Brexit scenarios have been reviewed:
- The decision to leave the EU is delayed.
- A deal is negotiated with the EU that sees the UK adopting a ‘soft’ Brexit and remaining in a Customs Union.
- A deal with the EU cannot be agreed, which sees the UK adopting a ‘hard’ or ‘no-deal’ Brexit.
Exclaimer would like to reassure our customers and future customers that none of the scenarios above affect our ability to deliver our service, operate our cloud based solutions or affect our ability to comply with country specific data protection laws, such as the GDPR. Our very rigorous ISO 27001 certification backs up our very stringent and focused view on Data Security.
The GDPR permits transfers of personal data outside of the European Economic Area only if the country to which the personal data is transferred to has an adequacy decision made in respect of it, if appropriate safeguards are in place, or where one of the derogations in article 49 of the GDPR applies.
If you are one of our customers based in the EU, our email signature services are already provided via a Data Centre within the EU and so there will be no international transfer at this point. However, there may be situations where your employees need to email Exclaimer in the UK in connection with the services (such as raising a support ticket) – these emails may contain the employee’s name, telephone number, job title etc. After Brexit, depending on negotiations, this may constitute an international transfer of personal data.
Exclaimer have consulted specialists in this regard to give piece of mind to our customers. Our position is that where emails are exchanged between the UK and the EU which constitute an international transfer of personal data, our customers will be able to rely on the derogation set out in article 49.1(b) of the GDPR.
This derogation provides that the transfer will be permitted where it is required for the performance of a contract between the data subject and the controller i.e. the contract in question is the employee’s employment contract and the email exchanges are required for the employee to perform their employment role for the business.
On this basis, the transfer to Exclaimer in the UK will be lawful. Exclaimer will then have responsibility for that personal data when it receives it.
If you have any further questions about GDPR compliance, please liaise with your Exclaimer representative or email GDPR.firstname.lastname@example.org