A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides.
How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?
To ensure an adequate level of data protection for the restricted data transfer from the UK to the US, the UK company should submit a new application for the UK Binding Corporate Rules (BCRs) using the UK BCR application forms, as their existing authorized EU BCRs are not recognized post-Brexit. BCRs are designed for intragroup transfers and are appropriate safeguards for international data transfer within a corporate group.
SCCs are for transfers between third parties. BCRs are for intragroup transfers. Post Brexit, company's need to separately obtain approval with the UK ICO for their UK BCRs. "Holders of EU Binding Corporate Rules (EU BCRs) are now required to take action to continue relying on them as an appropriate safeguard for international data."
SCCs are for transfers between third parties. BCRs are for intragroup transfers. Post Brexit, company's need to separately obtain approval with the UK ICO for their UK BCRs. "Holders of EU Binding Corporate Rules (EU BCRs) are now required to take action to continue relying on them as an appropriate safeguard for international data."
C. By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.