We are living through an increasingly digital age. We’ve recently experienced, on both an individual and industrial scale, the adaptability of technology and the tangible effects of globalisation. Due to this interconnected world, personal data provided online can be readily shared to various third parties; including between businesses, employees and contractors, or government agencies.
If your business controls or processes the personal data of individuals located in the European Union (‘EU’) you could be subject to the privacy laws of the General Data Protection Regulation (‘GDPR’).
How does the GDPR apply to your Australian business, operating over 14,000km from Europe? The GDPR could apply if your business offers goods or services in the EU, monitors individuals within the EU, or collects or uses the personal data of individuals in the EU (including for the provision of services to others). The GDPR imposes different obligations where your business is a:
- controller, which alone or jointly with others, determines the purposes and means of the processing of personal data; or
- processor, which processes personal data on behalf of the controller.
Standard Contractual Clauses
In short, the GDPR requires controllers and processors to provide transparency to individuals as to how the data of those individuals is being shared and managed. Reliance on the Standard Contractual Clauses developed by the European Commission in agreements for the movement of data between controllers and processors, and between two controllers, is sufficient to meet the compliance obligations under the GDPR with regard to the movement of data.
The Standard Contractual Clauses apply where personal data is transferred between:
- an EU controller and a non-EU controller; or
- an EU controller and a non-EU processor.
Interestingly, the Standard Contractual Clauses generally provide an individual with rights to enforce various provision of those Standard Contractual Clauses against the controller and processor (even though the individual may not be a party to the agreement in which the Standard Contractual Clauses are included). The Standard Contractual Clauses can also ensure that joint controllers meet their obligations to individuals in relation to the transfer of data between each other.
In addition to the use of the Standard Contractual Clauses, other appropriate safeguards could be established to transfer data from the EU to Australia. These include a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by a supervisory authority, an approved code of conduct, or an approved certification mechanism. In our experience, the Standard Contractual Clauses adopted by the European Commission are more typically adopted between contracting companies where there is a transfer of personal data from the EU to Australia for the purpose of controlling or processing that data.
If you are concerned about the application of the GDPR to your business, contact Freya Sinickas.