Within the context of GDPR, there are a number of restrictions on how one may process data outside of the European Union (EU) or European Economic Area (EEA). One mechanism for moving past these restrictions is when the European Commission judges a foreign nation’s privacy law as “adequate”. Thus far, South Africa has not made the list of countries which qualify in these adequacy judgments. Due to this, there are additional safeguards that need to be in place for South African companies wishing to process European data.
What Safeguards Are There?
Within the GDPR, there are a number of Safeguards that can be put in place should a country not be listed as adequate. These are:
- A legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules
- Standard Contractual Clauses (SCC) or Model Clauses
- Standard clauses adopted by a supervisory authority
- An approved code of conduct with binding commitments
- Certification under an approved mechanism
- Authorised bespoke contractual clauses
While these safeguards are listed, a number of them are not applicable or not yet in place. No certifications (6) or standard clauses by a supervisory authority (4) have been implemented as yet, nor have any codes of conducts with governing bodies (5) been approved. Guidelines for bespoke contractual clauses (7) authorised by the data protection authorities are also not yet in place. For the purposes of this article, which is dealing with South African private sector businesses and not public bodies (1), I will be focusing on Binding Corporate Rules (2) and Standard Contractual Clauses (3).
Binding Corporate Rules
These are incredibly cumbersome, although on the surface it seems like an easy win. Binding Corporate Rules (BCR) refer to putting rules in place for how your organisation processes data, in accordance with GDPR and the requirements therein. These generally apply for multinational companies that are processing data within different multinational or joint venture entities – some of which are outside of the EEA and EU. The cumbersome part of these agreements comes in whereby each member state from which you are transferring data will need to review and approve your BCRs.
Standard Contractual Clauses
A much more elegant solution, though perhaps with a lesser protection than BCRs (time will tell), are Standard Contractual Clauses. These clauses, also known as Model Clauses under the previous directive, are a set of standard clauses that two parties will enter into around data protection. These are contractual obligations between the two parties – the data exporter and the data importer – that protect the rights of individuals whose data is being transferred. These contractual clauses must be used in their entirety and without amendment. You can however still customise your business related clauses. You can read the latest clauses here.
Can we get some help?
While you can add these clauses and agreements yourself, there are additional obligations that the clauses or rules would place on your business. At Ross G Saunders Consulting, we offer a number of solutions through a network of professional providers in the technology, consulting, and legal spaces. Why not reach out to us or book a free online service enquiry below to find out how we can help your specific compliance journey.