Preparations for Brexit
With the continuing political uncertainty around Brexit, we’re conscious that our customers and users may have questions around how the various scenarios could impact their businesses. So to try and help, we’ve created this page to provide some insight into what we’ve been doing, and are continuing to do, as we move towards 31st October 2019.
Does Egress consider Brexit to be a risk?
We do not consider Brexit to be a risk to our business model or the continued delivery of our services to our customers and users.
We will continue to monitor the steps and approach of the UK Government and the EU negotiators, and guidance from the Information Commissioner’s Office (ICO) and European Data Protection Regulators over the coming months in the run up to the current Brexit deadline of 31st October 2019.
What has Egress been doing to prepare for Brexit?
Since late-2018 we’ve been monitoring the discussions between the UK Government and the EU. In line with guidance from the Information Commissioner’s Office (ICO), we’ve been making preparations based on a ‘no deal Brexit’. We’ve taken this approach as, if this is the route the UK takes, it will come into effect more quickly than the other options potentially available.
An effect of Brexit would be for the UK to become a ‘third-country’ under the General Data Protection Regulation, and in the absence of any adequacy decision from the EU Commission, an appropriate safeguard mechanism would be required under Article 46 of the GDPR to lawfully permit transfers of personal data outside of the EEA to the UK. A key part of our preparations has therefore been reviewing our supplier contracts to make sure they contain legal mechanisms to comply with this requirement.
We have also updated our privacy policies to refer to the UK territories as well as the EEA where this is relevant to the processing activities that we carry out in respect of personal data. You can see more on these at our Legal Hub here.
The steps we’ve taken will stand us in good stead whatever form of Brexit may eventually occur. They’ll also not have any negative impacts should the UK subsequently choose to remain in the EU.
Does Egress use any sub-processors to process personal data outside of the UK?
Yes. You can find details of the sub-processors involved in delivering our services at www.egress.com/subcontractors. Some of these sub-processors may use data centres that are located outside of the UK (e.g. in either the United States or the EEA).
How will transfers of personal data between the UK and the EEA using Egress services be permitted post-Brexit?
As far as transfers from the UK to the EEA are concerned, the UK Government has previously indicated that it will consider the EEA to be an “adequate” territory under UK law and therefore personal data transfers from the UK to the EEA will be permitted post Brexit. See more from the UK Government here and from the Information Commissioner’s Office here. This is being kept under review as renewed discussions continue.
Transfers from the EEA to the UK would be subject to the rules of the EEA. An effect of Brexit would be for the UK to become a ‘third-country’ under the General Data Protection Regulation, and in the absence of any adequacy decision from the EU Commission, an appropriate safeguard mechanism would be required under Article 46 of the GDPR to lawfully permit transfers of personal data outside of the EEA to the UK. We have reviewed our supplier contracts to make sure they contain legal mechanisms to comply with this requirement.
How will transfers of personal data between the EEA and the United States using Egress services be permitted post-Brexit?
Is there anything I need to do with Egress to prepare for Brexit?
- If you entered into a subscription with us before 25th January 2019 then we ask that you sign a copy of our Brexit variation which is available here under Additional Service Terms. This simply amends the terms of your agreement with us to reflect that part of the service delivery currently does, and post-Brexit will continue to, take place in the UK (Brexit will mean that the UK will not be part of the EU, and potentially the EEA, and this variation simply refers to the UK separately to allow for this).
- If you’re an EEA/EU-based customer, or your use of our services includes the transfer of personal data from the EEA to the UK, then we also ask that you also sign our DPA which can be found here under Additional Service Terms. This ensures that we have signed the EU’s Standard Contract Clauses with you to lawfully permit these transfers post-Brexit.