After years of uncertainty surrounding what GDPR would look like post Brexit, the trade agreement signed last Christmas Eve has left the UK with a hard GDPR border. It has however also secured a temporary transfer period for the transfer of EU data to the UK: the “Bridge”.

This webinar recording is packed with useful information that explains:

• What you need to do to sell in the EU
• Article 27 – David will explain what is involved, and attendees will be given a voucher entitling them to 50% off the sign-up fee for an Article 27 service.
• What does the Bridge mechanism mean? What will replace it?
• What other steps you must take to be compliant?

David Fagan has 25 years of experience dealing with EU data protection as a commercial lawyer acting for international companies and EU institutions. Join David and Scott Alexander, Legal Island, as they discuss data protection matters for businesses selling their products in the EU and Ireland.

Transcript

Scott: Good morning. Welcome, everybody. I'm Scott Alexander. I'm from Legal Island. Welcome to this webinar on, "Data Protection Implications of Selling from the UK into the EU Post Brexit." Our guest today is David Fagan from Business Legal. I'll just read a little bit about David first because he doesn't like to blow his own trumpet. He's an Irish privacy lawyer. I've known him for many, many years. In fact, David, I think you were one of the first solicitors that Legal Island ever worked with when I set up the Irish branch of . . .

David: Yeah, I think so. Back, I think there might have been . . .

Scott: In 2000.

David: There might have been in the last century if memory serves me right. Last millennium, it's a long time.

Scott: It was just before 2000 I think he was set up in Dublin. And so, anyway, David, David was a partner Eversheds before it became Eversheds Sutherland, and headed up the Irish data privacy unit. A number of years ago, he set up Business Legal along with other equally experienced lawyers, professionals. A couple of things that David has done. He's managed multi-jurisdictional privacy projects across Europe, Africa, Asia, and the Middle East.

He's coordinated the compliance teams and operational teams to achieve multi-jurisdictional compliance, whilst meeting commercial goals. He's advised on the Safe Harbour and Privacy Shield schemes. And may bring up Schrems and such like later. GDPR, EU privacy, and GDPR issues for non-EU companies, particularly, excuse me, in relation to Brexit, which is what we're going to be focusing on today. And the list goes on and on. I'm not going to read them out. But his bio is up on our website.

Now, today we're looking at data protection issues, and it's for people who are based in the UK and sell things through to the EU, and therefore you gather data from the EU. But David being the protection privacy lawyer is happy to take any questions. So if you have any questions, you'll see on your right-hand side of your screen, a little box that says questions. If you type your questions in there, they will come up here and I will ask them anonymously of David while we go through the process.

Now, we intend looking at these areas, you can see them in front of you now, focusing on the end customers, the bridge, and equivalency. There's quite a lot of about that we'll be chatting about today. Business-to-customer, business-to-business processing, and selling looking using non-EU processors, the processing for those EU controllers. So, hopefully, you know enough about that. But we'll cover the number of things.

Data Protection Implications of Brexit

So kicking off, David, I suppose we're leaving the EU. And what does that mean, generally, for the listeners here who are based somewhere in the UK, and Northern Ireland or GB? And what does that mean in GDPR terms and specifically?

David: Well, I suppose it means roughly the same as it means in a lot of other areas like customs and so on and so forth. Effectively, the UK has become a third country. And for those in Northern Ireland in GDPR terms you are still a third country albeit that there is a certain, there's a certain equivalence in terms of the single market for goods that Northern Ireland remains in practice if possibly not in name. But in terms of GDPR, you are essentially a third country. No ifs, no buts, no halfway houses, nothing.

The only, I suppose difference between the UK as a third country and other third countries is that the UK is in a current, I suppose, halfway house position of not having yet being granted equivalency, which is a treatment by the EU whereby they say our personal data is safe in your country and data may be freely transferred to your country without hindrance or less.

And the other alternative, which is to say you don't have equivalency which means our EU personal data is not safe in your country, and you are not free to transfer it unless you put in place certain specific safeguards. And those safeguards have been watered down or watered down is the wrong word. The mechanisms for providing those safeguards were attacked in Schrems.

Sending Data Outside the UK

The Privacy Shield element is gone for the U.S. It doesn't affect the UK, and the standard contractual clauses or SCC's which were the main mechanism for transferring data to non-equivalent countries has now had a lot of additional conditionality attached to it. In addition to doing the SCC, you also effectively have to do due diligence on the jurisdiction you're sending the data to with specific regard to whatever that data is.

So, if you're sending data to say, the U.S. now, you have to think, will this data be subject to conditions that would breach the privacy of the data subjects for this particular bunch of data with regard to this particular bunch of data subjects that I am sending to the U.S.? You've got to kind of do a specific due diligence, which is obviously economic nonsense.

If every time we want to send data somewhere, we have to effectively do a due diligence to see, is it safe? That's just not economically viable. But that's the current situation for third countries. The UK is in a halfway house because it has the bridge. And that essentially means that this nightmare of having to do a kind of due diligence on your data before you send it anywhere, won't be coming in for at least four months from the 1st of January, which effectively is the 1st May, or six months for the 1st January, which is the 1st of July.

The additional two months is provided, nobody objects. So basically, in a nutshell, the UK has four months to achieve equivalency, and another two months to retrieve equivalency if it doesn't annoy the EU in the intervening two months. That's essentially where we're at. But there is good news on that. Before I know you're dying to ask the questions, Scott. There is good news in the equivalency front, which is that the EU has very recently issued draft equivalency guidelines.

Essentially, the EU considers the UK a safe destination, but the member states now have to approve it. So the technocrats say yes. Computer says yes, but now the politicians also have to say yes. So I suppose it's now a political question rather than a technical question.

Scott: Okay, so it's likely that we're going to get equivalency that the UK's data protection system and the laws are adequate as far as the EU is concerned. So we don't really have to worry about being a third country and requiring some kind of privacy shield arrangements and standard clauses from EU companies that we're working with.

David: Probably. There's a subtlety to that though, which is that the UK is now essentially . . . because of the GDPR having extraterritorial effect, UK processors and controllers are now going to have to deal with both the UK GDPR for UK personal data, but they're also going to have to deal by and large with EU GDPR for EU personal data. So there's now two parallel regimes.

And that's because of the extraterritoriality baked into the GDPR. It's a little bit cheeky, but the EU has basically said, this is our data, and wherever in the world that goes it has to be treated according to our standards. And so the UK has moved into that world now.

Scott: Yeah. And it means basically, that once he gets this equivalency thing, if it deviates from improved standards or change standards going forward, then it's going to have to meet that equivalency and go through that process again, presumably.

David: Yes, that will be reviewed every four years. So once it gets equivalency, absent a Schrems' type attack on the equivalency decision, which let's face it, is perfectly possible. But absent the Schrems type of track, absent and somebody taking up the cudgel and suing the UK, the situation will only be reviewed every four years.

So it's unlikely to fall out of favour within four years. And, therefore, it is fair to say that UK companies will have a little bit of certainty once the equivalency is granted. We'll have a lot of certainty. You will know what the pitch looks like for the immediate future.

Data Privacy – Schrems Case

Scott: Okay, now, just before we move on to the various things going backwards and forwards with Europe, maybe you could explain a little bit more about Schrems because I know all about Schrems because it's been in the Irish courts for a number of years. Mr. Schrems and he's not very happy with Facebook. And you mentioned the American situation there and if we are transferring information to America, the concern is that you take your customer data, customer, in this case that we're talking about, it could be any personal data and it goes to America and it's then sold on perhaps, it's not protected in the way that we might be in the UK or indeed, the EU.

So maybe just expand a little bit more of Schrems. And explain that outside transferring to the EU, we also have issues if we transfer data outside the UK now.

David: Okay, so Max Schrems was an Austrian trainee lawyer who was shocked to discover the amount of data that Facebook had on him. And in his initial dealings with the company, found that their response wasn't satisfactory. So he decided to launch proceedings against them, somewhat of a crusader type. And those proceedings were delayed and delayed. And it must be said, not dealt with expeditiously either by Facebook Ireland, or by the DPC here.

They had to be launched in Ireland because Facebook's European data protection, and indeed European businesses run from Dublin. So that made its way through the High Court, and a decision, Schrems won invalidated the Privacy Shield aspects of the U.S. EU arrangements. Privacy Shield. I won't go too into detail because it's dead and therefore doesn't matter. But essentially was a contractual solution to an ability to transfer data to the U.S. essentially.

The U.S. agreed certain things, but not at a state level. They put in place, I suppose, a contractual scheme that people could sign up and bound themselves to European terms and conditions or European like terms and conditions. They weren't bounding themselves to Europe, but to roughly equivalent terms and conditions. And if they were a member of that scheme, the EU considered it a safe destination.

In reality, the scheme was quite threadbare. The original Safe Harbour scheme which it was invalidated by Schrems in his initial case, and then Privacy Shield was brought in. So then, Mr. Schrems wasn't happy and he brought Schrems II attacking Privacy Shield. And in I think was last October, certainly very towards the end of last year, his case was decided upon the European Court of Justice, Court of Justice European Union.

And what happened was that the Privacy Shield mechanism was invalidated. Essentially, the EU said Privacy Shield didn't provide enough protections for EU data. That's in a nutshell. But it also invalidated the . . . or partially invalidated the standard contractual clauses. And what these were, these were from a contract approved by the EU, or our form a contract approved by the EU. And if both parties signed them, it's safe to transfer data or it's lawful to transfer data.

These ended up in the European Court of Justice because the DPC here, Data Protection Commission here, dragged them into the fight which was a little unwise and somewhat criticised by Mr. Schrems. Because what it did was it caused far more damage than invalidating Privacy Shield could have done because it meant there was now no easy contract that both parties could just sign up to, to validate the transfer of data.

What you have to do now is effectively you have to do due diligence on the company and country that you're sending the data to, to see if in effect that data is going to be safe there. So now you can't just sign a contract and say, that's fine, we're done. It's an approved contract approved by the European Commission. You now have to, in addition, look beyond that and see, well, would a competent person say that this data is safe, given the destination it's going to and who we're dealing with, and how it's going to be processed.

So that's essentially what Schrems II has done. It has invalidated Privacy Shield, but rather, more importantly, it has damaged the standard contractual clauses method of transferring data, which is why it is so valuable that the UK has this temporary bridge for the next month and a half for definite and the next two months as long as the EU or UK don't object.

And why it's so vital that the UK gets equivalency? Because people . . . it hasn't been seen what the effect of losing this would be. But it would be catastrophic. People will simply stop using UK firms without some form of additional guarantees being given by UK companies about the safety of the data. And the problem is some of those guarantees may not actually be capable of being given. In other words, the company might want to give them but they might not be able to say your data is secure from, say, security forces interception, from police warrants, and so on so forth.

But there's a whole raft of stuff that a company simply can't guarantee. So that's essentially the issue. But the good news is, it's looking good. And these nightmare scenarios hopefully won't have to be looked at, which means, mean for a company, if you're a business, you don't want to know what might happen. You want to know what will happen, and how's it going to affect my business.

So for the moment, and this only, this decision only came out about 10 days ago after this seminar was planned. So if the draft decision had not come out, we would be having a different conversation. But right now we're able to say it's looking very good that people will be able to continue to trade with the EU, provided they comply with EU GDPR.

Sending Data North or South of the Irish Border

Scott: Okay, and so with all likelihood, when it comes to going to the EU, we should be okay within the UK for transferring data. And that goes both ways? Does it mean, if we've got customers . . . we'll to come to a second about whether it's customers or business-to-business. But if we are storing information in the UK from our interests, south of the border, in this case, or if we're sending Northern Ireland say information south to the border, is there a difference or are they both going to be covered by this equivalency in all likelihood?

David: Well, the UK already granted equivalency. It never didn't grant equivalency to the EU. So before UK GDPR even came in, the UK said it considered the EU an equivalent destination. So right now you can send data to, from the north to the south to the south or indeed from the UK to anywhere in the EU. The EU doesn't care about data coming in. And that's the thing. The EU never cared about data coming in. It only cares about data leaving.

So you could always send data in which creates difficulties. For instance, if you are a U.S. company, and you send your data into the EU, and then you try and extract it back from the EU, you'll discover you can send it in no problem but getting it back, it will be captured by GDPR.

Scott: Yeah, so yeah. So if you've got customers and you've got a branch in Belfast and a branch in Dublin, without that equivalency, the difficulty will be . . . you can send all your northern stuff down, but you won't be able to get it back easily unless this equivalency thing is in place.

David: Essentially, if there is processing that, if there is processing in the south, such that the data is captured by GDPR, you won't get it back without equivalency.

What is Meant by Data Processing?

Scott: Yeah, yeah, will be processed, because storing is processing isn't it?

David: Storing is processing. Processing is almost done anything, to be frank. There is one trick which a lot of companies have done for many years, which is that capturing data initially is processing. But the processing is occurring where the data is being captured. So if I'm sitting at my keyboard in New York at my computer in New York, and I have a website, and landing onto my server is in New York or Alabama or wherever, are Irish, and German, and French data subjects who are signing up to my service, they are not exporting data from the EU.

Because there is no data controller involved. It's a data subject is doing something on his own computer. There is no data controller involved. The first data controller becoming involved is in fact, in the U.S. So although it's a little counterintuitive when Gunter in Berlin is typing into the website, and that lands on a server in Alabama, he has not exported data because he's not a person who exports, he is the data subject.

But if Gunter is sending someone else's data, in other words, he's a controller or a processor, he's not doing it on his own behalf as a data subject, well, then that data will be captured. So that's why it's important too to consider particularly the difference between B2C and B2B. In a lot of B2C cases, the data will be leaving the data subject, not a controller and not a processor to land on a UK server and that's fine.

So when you're talking about your customer in the south, signing up, and your website could be based . . . could be your, as a Northern Ireland company, your website could be hosted in Reading. Yes, the data is leaving Ireland, but it's leaving from the data subject to be captured on a website in Reading in the UK. So that website, that controller or that administrator of that website, whatever your hosting company is, is a processor of that data for you.

You sitting in Northern Ireland are a controller of that data, but there has been no data transferred. Because what has happened is the data subject has entered data in Reading, which you then can use in Northern Ireland. The problem then arises when you send it down south to action it in some way with your Southern Company to say, "Can you please do this, this, and this?"

Still, so far, so good, because there's equivalency from the UK into the EU. But as soon as your southern company and it doesn't have to be your subsidiary, it could be any company could be your subsidiary, it could be a partner company that you use, an agent, whatever, as soon as they attempt to send that data back, or anything about that data, yes, the sale has been completed. No, we require part number NC257.

As soon as something happens, where information relating to that individual person ends up back, coming from the south, or coming from anywhere in the EU, back into Northern Ireland, that will be a transfer. And right now you're relying on the bridge, if equivalency is granted, you will be relying on that. But either way, whether you have equivalency in the future when you have the bridge now, you still have to comply with EU GDPR for that data, as well as UK GDPR.

And the most obvious requirements are your privacy policy that people can see will have to reflect that. And you will have to appoint an EU representative as everyone in the UK has to appoint an EU representative if they are processing data of individuals in the EU. There are some very limited exceptions. State bodies don't require this. And if there is limited processing, or regular processing, in other words, you couldn't be selling in a campaign.

But if you were selling 10,000 units over a year and two inquiries happened to come from the Republic of Ireland, and nowhere else in the EU inquires, that would not trigger the requirement. But essentially, it has to be a regular sporadic, no volume. So all but the most innocuous, unintentional accidental sales in the EU will trigger this obligation.

Certainly, if you're using a website in that language, so if you're using French, or German, or Italian, and Dutch, Spanish, if you're using those languages, if you're accepting payments in euro, if you're doing anything that shows that you're looking for sales or looking to provide a service to anywhere in the EU, then the obligation to have this EU representative will be triggered. And it also works in reverse, for instance. I mean, we'd have to appoint a UK representative.

Scott: Okay. And presumably, for organisations like Legal Island, we've got a .ie website and a .com. website and the Irish customers go through the .ie normally, and the UK customers would go through the .com. If we want to bring that information up from our .ie website, that's governed by the bridge and indeed the equivalency. Is that correct?

David: Yeah. But just to be very precise, the fact that it's a .ie website doesn't necessarily mean you're transferring data from the EU. So whether you're transferring data or not will be a matter of fact is. Is there data being transferred? Both what a .ie website will do, for instance, will absolutely trigger the requirement to have an EU representative, and I know you do have. It will trigger that requirement because it's clear you are looking for business from an EU jurisdiction.

Impact of NI Protocol on Data Protection

Scott: Okay, no problem. Thank you. And if you have any questions, folks, the question box is there. We've had one. I think you kind of answered it near the beginning there, David. I think the answer is it doesn't work. Where does the NI protocol sit? My understanding is NI is slightly different from mainland UK laws going forward. But I think your answer is it may be on certain laws, but not on data protection. Is that correct?

David: Yeah. I mean, specifically, there's nothing in the protocol that's changing the requirements. It's going to apply to the entire UK. But there's nothing specifically in the protocol that carves out data protection. There was in the original withdrawal agreement, if we were getting into Brexit. The original withdrawal agreement had everything being hunky-dory up to the 1st of January, which has now passed. But there's nothing specific to the Northern Ireland protocol.

And it's not a data protection issue. What Northern Ireland protocol does in terms of interacting with EU law in the main is that keeps Northern Ireland in the EU single market for goods but not for services, but for goods. So essentially, that's the issue about the imports from GB into Northern Ireland's internal imports, I suppose.

But essentially, that's what that issue by and large covers. It's about physical barriers to trade. And I suppose nobody was too bothered about services because they're not physical and nobody was too bothered about data. So it seems to be all about physical borders, basically, with regard to the protocol.

Role of the EU Representative

Scott: Okay, let's go back to this EU representative. What do they do? What's their job?

David: Their job is very simple. They have to be based operationally within the EU. In other words, it can't be a brass place operation. It has to have an operational presence, an establishment in EU speak, in the EU. And they're effectively then they are your representative. But they're a curious former representative because they don't have to represent you.

By which I mean, you can elect for them to be your representative, or you can elect for yourself to be the contact point along with your representative. So it's a little like most companies have come across having an address in the state for the service of proceedings. It's a little like that, an address at which you can be reached. But it's a little more than that because your representative has to hold what's called your Article 30 record.

So if you are processing personal data, and you have more than 250 employees, you are obliged to hold an Article 30 record. If you don't, it's still a good idea, because you may grow beyond that and your representative is obliged essentially to hold that record and to be available as the contact point. They're also going to be nominated in proceedings. So, but the data controller or processor, the foreigner or non-EU entity is still going to be the liable party.

So, essentially, the representative will be sued, but the person liable and this has been decided a few months ago, in court, the person who's going to be liable will still remain the non-EU company. So if you're in the UK appointing representative, you're saying this is the representative. You're telling people who they are. You are giving the representative the Article 30 record. If you don't have one, you're drafting it. And they hold that record. And it has to be continually kept by them.

So they have to be able to say when contacted, the representative has to be able to say, here is the Article 30 record. So that's essentially it. Now, you can pay any amount of money that you want for that service. But the core of it service is essentially just that the representative is there and holds your Article 30 record, and is the party against whom proceedings are issued within the EU if they're looking to sue your company.

Data Protection Commission – Ireland

Scott: And I suppose the thing about Ireland, in particular, is they've really expanded the Data Protection Commissioner's staff. They do an awful lot of inspections. I'm looking at their annual report there the other week there. And they seem very active. And I suppose the south have always had these workplace inspectors as well through the WRC or equivalent prior to that. So it's not . . . I'm not sure that I know anyone outside the people who do mass spam emails that have been caught out too often by their ICO in Northern Ireland or indeed the UK.

But the Data Protection Commission seem very active in their have investigations down south. And I suppose because they're seen as the European headquarter for so many tech firms. You know, I think it's like 29 at the top 30 tech firms in EU have their headquarters in Ireland.

David: Yeah. I mean, it's essentially the . . . I suppose, in terms of cases handled for size of organisation, the DPC is probably the most important data protection regulator in the world simply because there are so many predominantly U.S. but not exclusively U.S. major companies having their European headquarters in Ireland, sometimes for tax reasons. It's not really predicated on the GDPR regime, but they are here and are regulated by it.

But I would say that the DPC does most of the inspections and most of its work still comprises inspecting people's websites and checking essentially for the documents that they're meant to have. So these days if the DPC inspects you, you'll literally get a call saying, "Can we please have a copy of your privacy policy? Can we have a copy of your security policy for IT?" and so on, so forth.

Can we have a copy of your Article 27 registration, if you're a foreign country company? Can we have a copy of your Article 30 record of processing? So essentially, it's still quite a lot of what they're focusing on is, I suppose what you might describe as visible compliance because it can search thousands of emails, or thousands of web addresses, and find a hit list of people who ostensibly on the face of it on their website are non-compliant.

It doesn't really have to delve deeply into knocking on doors to find non-compliance, it's literally in front of it on the web. So I found that they tend to do a lot of that. They're also reactive to complaints. I mean, if there is a complaint made, then they will quite often followed it up with an audit. But a light touch about it, looking for those documents. And if you satisfy the DPC, if you say, "Well, here's our documents. And here's the answer to your question," they go away very easily, if it looks on the face of it that there's reasonable compliance.

So a lot can be achieved by just, I suppose, by the peripheral kind of look of your compliance, without getting into the processing and how your server operates. And without getting into the nuts of it. If you look nice on top, it goes a long way.

Registering Your EU Rep with the Data Protection Commission

Scott: Okay, there's a few questions coming in, Dave. You formally have to register your appointed EU rep with the local regulator in the case of Ireland DPC?

David: No, you have to appoint them by letter in writing. You do have to formally notify, now this is if you are in Ireland as opposed to in Northern Ireland, you do have to formally notify the appointment of a data protection officer to the register that you have, but there isn't a register of EU reps, no.

Scott: Okay. I was laughing that it has to be by letter, and it's data protection that you wouldn't send it by email, although . . .

David: Oh, no, it has to be in writing. As I say, we have a service EU rep. And as I say, that's all automated. It is in writing. It's an appointment in writing.

Scott: You mentioned before that security issues which might be from someone from security, I'm not sure. The DPP which may be the Public Prosecutions, I don't know, extradited . . . from the USA. And the data subjects' personal information was leaked on social media in the States. If the name is googled, everything as to why it was extradited can be seen. The DPP are only people who had this info and sent it to America. Who's responsible for this? I don't know if I . . .

David: Well, I'm not going to make . . . I'm not going to make an assumption that the DPC have broken the law. And so I going to say well away from the defamatory potential of that. But what I will say in as much as I can try to get my head around it. If information, if big if, huge if, if information was transferred by an unauthorised party to a third country, that does not have equivalency, then in a data protection sense, and leaving aside every other potential breach of every other law, ethics, and so on and so forth.

If something like that occurred, you would be looking at one, an unlawful transfer because the transfer shouldn't have been made. The transfer is simply a transfer of information between jurisdictions. You'd also be looking at an unlawful disclosure. A disclosure is people often talk about transfer. And what they really mean is disclosure. A disclosure a . . . I'm putting air quotes in which is a horrible thing to do, but a transfer of data between entities.

So when you transfer outside the jurisdiction, it's a transfer. When you give it to a different company or a different entity, that's a disclosure. So it'll be an unlawful transfer. Separately, it would be an unlawful disclosure. And thirdly, it might well be that the unauthorised person making the disclosure had made themselves liable. Because there are criminals, there is a criminal offense under the Data Protection Act in Ireland for essentially, a person who is not authorised and is not the controller or the processor.

So for instance, an employee of the GPC, a rogue individual, if that occurred, you might then have a criminal offense under the Data Protection Act. There are no criminal offenses under the GDPR per se. But each jurisdiction in Europe has its own additional data protection laws. And in many of those jurisdictions, there are criminal offenses, including jail time.

So this, for instance, could involve a prison sentence. I can't remember exactly what the maximum prison sentence was. I'm tempted to, say, five years. I did look at it about two years ago, but the information hasn't stuck. But there's probably something in the region of there's definitely an offence and there might be some serious prison time attached to it. But as I say, massive if. I've no reason to believe that anything untoward happened at the DPC and I'm not saying it. This is a theoretical discussion only.

Scott: That says DP there, so that doesn't work in PPS there. But thank you very much for the answer there. I suppose there was the Morrisons case over in England were the accountant.

David: With the HR data, you know.

Role of EU Rep – Business to Customer Data Transfer

Scott: And ended up in jail, if I remember, really. There's another question here is, again, I think it depends where the server is if I'm picking you up, right. And is there a requirement to appoint an EU rep for business-to-customer only where the data centre is the data subject, for example, a hotel in the UK taking EU or worldwide bookings? And that would presumably depend on where their server is but if it's a hotel in London, and somebody books directly with that hotel in London, there's no transfer. The data subject is just giving that information to them. Is that correct?

David: Yes, but we have to split between a transfer, which is a problem under Schrems, and using an EU rep. You are still processing the data of EU data subjects. So you will still have to comply with GDPR and you will still have to appoint an EU rep. But there is no transfer. And you might say, well, that's almost a meaningless distinction. And to a degree, possibly, but we're not talking about an unlawful transfer because there is no transfer.

But there is still a requirement to hold that data in accordance with GDPR. That's because of Article 32, extraterritorial effect for the processing of EU citizens where, essentially, it's not quite as narrow as saying where the EU is being targeted. It's even wider than that. But it's clear in the instance where bookings are being accepted for this UK hotel, you know, from large numbers of EU citizens. It's clear that they are being targeted in the sense of the UK hotel is happy to have these guests come in.

And it's what a hotel business does. So they would be subject to GDPR and would have to appoint an EU rep, but would not necessarily, that that particular instance may not necessarily be a transfer. If however they using agents in the EU because the agent would be a controller or a processor, that would be a transfer. The minute somebody other than the data subject themselves is sending the data. You know, the minute there's a business involved of some sort, it becomes a transfer.

Scott: If you're running, I don't know, "Game of Thrones" type trips from Dublin up to Northern Ireland or something like that, and you're gathering that information and sending it off to the tour operator in the north, they're not . . . That would cover transfer that you would be using some kind of agency to transfer lots of data rather than have individuals book directly with you. That would certainly . . .

David: Yeah, that would be a transfer. The issue will be who's the processor and who's the controller. But in the situation, you described it sounds like the Northern Ireland operator would be the controller, and the agent that sending up the information from the south will be the processor. But that's a generalised answer because when you look at how people conduct their affairs, you can be quite surprised as to who the controller and who the processor is.

The largest company isn't necessarily the controller. And sometimes organisations actually structure how they do it simply to avoid transfers. So it wouldn't be unusual to have actually structured a transaction in a way not to trigger this requirement.

Business to Business Data Transfers

Scott: Okay, most of the discussion has been about business-to-customer. What about business-to-business? Because I don't think the Data Protection Act, or the GDPR, or anything like that was set up to stop business-to-business. And certainly, I have my personal details over LinkedIn and Legal Island and everywhere else, and I don't particularly mind getting information from other websites or people because they may become contacts or they may be useful and so on. Is there a lesser standard? Is it an issue if it's business-to-business and it contains Scott Alexander from Legal Island?

David: Yeah, the same principles apply. However, depending on the business, you may be less likely to be sending personal data. I mean, if you're selling tractors from Northern Ireland into the south, and you're selling them to a distributor or a dealership in the south, you may only be dealing with, XYZ Bantry Limited and a couple of people who are your contacts there.

So, Jim, the general manager of Bantry Motors, is corresponding with you, and said, "I'd like five tractors next month." That's not really going to cause any stir. It's not going to trigger an obligation to a point in the EU rep. And the limited data that's been transferred is going to be captured by an exception in transfers interrogation for basically very limited amounts of data. It really is a very small exception, but B2B is more likely to trigger it.

But if on the other hand, you are dealing with an events company, who is sending you the names of 200 people that will be travelling up to the north, if you're dealing with the processing HR for a company in the south, or if you're processing accounts, or you're processing anything, you could be getting personal data of somebody's employees, of somebody's pensioners. Anything where there's lists of people involved; you are much more likely to trigger it.

And one good thing or one equivalent thing between the UK and Ireland, which isn't really replicated anywhere else, except France, as it happens is that in marketing terms if you have a business-to-business type arrangement, you can actually email and not fall foul of the marketing regulations. You can email B2B campaigns without getting their opt-in or their soft consent.

So they have to have the right to opt-out, which you'll have seen at the bottom of every email, marketing email you've received. But most of Europe actually requires an actual opt-in, and many of them don't work. Many of them won't even allow what's called a soft opt-in, which is where you've been doing of course business with that individual or with that company. So, again, there's quite a similarity between the UK still and Ireland, more so than some other jurisdictions.

Scott: Okay, we can, I think, come to the end of the webinar, so far. You have an offer, I believe, for people also. Maybe me put that up, Rolanda, so that people can have a look if they want to use you as one of their EU reps.

David: This is our sister firm rather than Business Legal, which is our day-to-day data processing. So this is purely focused on being an EU rep. So first thing I'd say to you is, if you have a subsidiary in the south, you might still consider or indeed anywhere else in Europe, you might still consider using an EU rep service, because this service, we check several times a day every day for contacts from data subjects, for contacts from supervisory authorities.

If one and when one comes in, we are aware of the generality of what's being asked. You may be dealing with foreign supervisory authorities. We can tell you based on the legislation, and the articles referenced what roughly you're being asked for so we can get on the ball immediately. You have essentially a month for instance for the Data Access Request to get back.

So you're ahead of the game if somebody already looked at it in a professional sense before it gets to you. If you have a subsidiary in the EU, as I say, I would still use a representative, an external representative. I've already explained that the representative service essentially, it gives you your representation, holds your Article 30 record, gives you a written letter of appointment or you give it a written letter of appointment.

You have to have what's called a controller processor agreement because it may be processing personal data on your behalf. And you have to notify your data subjects as to who your rep is. All of that is done, essentially automatically. Here is the wording to stick into your privacy policy. Here is your controller process agreement. Here is the signed letter of appointment. And your Article 30 record is captured in the service as you sign up.

So there are three services. I got to explain each of them very, very quickly because I see we have literally about 60 seconds. So the E-rep services are self-directed service. If you know what you're doing, give or take, you sign up, you fill in the Article 30 record, but based on questions that are asked and guidelines are given for what your answer should look like, do it yourself, entirely automated. €99 sign-up fee, and €19 per month. So that's the cost of representation.

The PRO service is roughly the same except we will allow you upload an Article 30 record that someone else has done for you or that you've done yourself. So you can give us a PDF and say this is our Article 30 record. Whether you sign up based on our questionnaire or whether you sign up by uploading your own Article 30 record, we will review that for you, make comments and suggestions on your Article 30 record and make sure that it's been reviewed.

So the first one is you're doing it yourself. The second one is it's reviewed by us. The third one, PREMIUM, is effectively you don't know what an Article 30 is. You've never done this before, and you haven't the time to be dealing with it. We will do a short mini audit of your company specifically to fill in this Article 30 record and we will do it for you. And then they're out for 899 for the signup fee. And, thereafter, the monthly charges €29 a month.

So, essentially, there's a signup fee, which covers the initial administration and getting you up and running. If you're doing it yourself, self-directed €99. If we're reviewing it, €299. If we're doing is essentially extracting the information from you and putting it together for you, we will charge you $899. And ongoing the first one is 19 a month every month thereafter. The review one is 29 per month every month thereafter. And as is the PREMIUM because it's essentially the same thing.

For the PRO and the PREMIUM, you can always come back to us and we will tweak or amend as you request. For the E-Rep you can tweak and amend it yourself by going in and amending your Article 30 entry. So that's essentially the service. The discount code is bizlegal50, which is valid until the 31st of this month. So it's entirely . . .

Scott: And, David, they go to your website there. They go on eurep.ie the email you used.

David: They go to eurep.ie. And so if you've gone to EU, there's also a mine of information. It is a very . . . there's an awful lot of FAQ's. If you want to know what any an E-rep is, what it does, how it operates, there was an enormous amount of information contained in the FAQs on that site, far more than we've been able to go through in this call.

Scott: Okay. Well, there's the details for David and me there. Our next webinar will be on the 9th of April. It's the usual Employment Law at 11 with Seamus from O'Reilly Stewart. So any questions you have on any employment law stuff, please send those into Rolanda or me and we will do it. So thanks very much, David. I hope that we will see you again soon. And good luck. We'll be in touch. You take care. Thanks, everyone.

David: Bye, bye, everyone. Thank you.