LEGAL

Brexit

Find information on our response and identified impacts during the Brexit Transition Period.

The UK and EU after the Brexit Transition Period

We’re conscious that our customers and users may still have questions around the impact of the expiry of the Brexit Transition period.  To try and help, we continue to update this page to provide some insight into what we did to prepare for this and what we continue to do following the UK’s departure from the EU and other European institutions.

What has the effect of Brexit been on Egress?

Like all businesses, we planned ahead of the expiry of the Brexit Transition Period in order to ensure that there was no impact to our business model or the continued delivery of our services to our customers and users. 

On 28 June 2021 the European Commission adopted two adequacy decisions for the United Kingdom – one under the GDPR and the other in relation to the Law Enforcement Directive.  As a result  personal data flows are permitted to continue from the EU and EEA states to the UK without additional safeguards where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.   

These adequacy decisions ensured the proper complete implementation of the EU UK Trade and Co-operation Agreement (as adopted into UK law by the European Union (Future Relationship) Act 2020). 

We continue to monitor the relationship between the UK and the EU as we move forward in order to ensure that we keep our policies, terms and processes appropriately under review.  

What preparations did Egress make for moving on after the Brexit transition period?

Since late-2018 we have monitored the discussions between the UK Government and the EU.

A key part of our preparations involved reviewing our supplier contracts to make sure they contain legal mechanisms to comply with the requirements caused by the UK’s departure from the EU and other European institutions.

We also updated our privacy policies to refer to the UK territories as well as the EEA where this is relevant to the processing activities that we carry out in respect of personal data. You can see more on these at our Legal Hub here.

We have also made resources available on our Legal Hub to enable customers to ensure that they are able to have up-to-date appropriate terms in place with us through signature of our Data Processing Addendum.

Does Egress use any sub-processors to process personal data outside of the UK and/or the EU/EEA?

Yes. You can find details of the sub-processors involved in delivering our services at www.egress.com/subcontractors. Some of these sub-processors may use data centres that are located outside of the UK (e.g. in either the United States or the EU/EEA).

How are transfers of personal data between the EU/EEA and the UK using Egress services permitted post-Brexit?

On 28 June 2021 the European Commission adopted two adequacy decisions for the United Kingdom – one under the GDPR and the other in relation to the Law Enforcement Directive.  As a result, personal data flows are permitted to continue from the EU and EEA states to the UK without additional safeguards where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.   

These adequacy decisions ensured the proper complete implementation of the EU UK Trade and Co-operation Agreement (as adopted into UK law by the European Union (Future Relationship) Act 2020). 

We continue to monitor the relationship between the UK and the EU as we move forward in order to ensure that we keep our policies, terms and processes appropriately under review.

How are transfers of personal data between the EU/EEA and the United States using Egress services permitted post-Brexit?

We updated our EU-U.S. and Swiss-U.S. Privacy Shield information and self-certification with the United States Department of Commerce in line with regulatory guidance. Whilst the Court of Justice of the European Union (CJEU) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) ruled the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks invalid in the summer of 2020, we remain committed to the Privacy Shield Principles.  In recognition of our continued commitment, in October 2020 we self-certified with the International Privacy Verification programme (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV we are able to continue to demonstrate our compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU.  You can read more in our Service Privacy Policy here

Our supplier contracts already contain mechanisms to lawfully permit transfers of personal data outside of the EEA to the US where required to deliver our services to our customers and users in accordance with our Service Privacy Policy here.  You can find details of these at www.egress.com/subcontractors.

In line with regulatory requirements, we updated our Data Processing Addendum to include the revised EU Standard Contractual Clauses for contracts entered into on or after 27 September 2021. 

Is there anything I need to do with Egress following expiry of the Brexit transition period?

If you are an EEA/EU-based customer, or your use of our services includes the transfer of personal data from the EU/EEA to the UK, then please make sure that you have signed our DPA which can be found here. This ensures that we have the right terms in place to meet the requirements of data privacy laws and we have both signed the EU’s Standard Contract Clauses to lawfully permit transfers outside of the EEA/EU through your use of our services as the UK moves forwards.

If you have already signed a copy of our DPA, please ensure that you sign an updated version prior to December 27, 2022 when all existing contracts are required to transition to the new Standard Contractual Clauses.   

Please note: We are keeping our DPA under review as we await the release by the UK Information Commissioner of updated Standard Contractual Clauses for transfers from the UK to third-countries.