Sign Up

What is 8 + 4?

Have an account? Sign In Now

Sign In

What is 8 + 4?

Forgot Password?

Don't have account, Sign Up Here

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

What is 8 + 4?

Have an account? Sign In Now

Please type your username.

Please type your E-Mail.

Please choose an appropriate title for the question so it can be answered easily.
Please choose the appropriate section so the question can be searched easily.

Type the description thoroughly and in details.

What is 8 + 4?

Sign InSign Up

Watercooler by DPOrganizer

Watercooler by DPOrganizer Logo Watercooler by DPOrganizer Logo

Watercooler by DPOrganizer Navigation

Search
Ask A Question

Mobile menu

Close
Ask a Question
  • Home
  • Categories
    • GDPR
    • Privacy Management
    • Professional Development
    • Software tips and tricks
    • Polls
  • Help
  • About Watercooler
Home/ Questions/Q 8170
Next
In Process
Anonymous
  • 0
Asked: October 4, 20212021-10-04T12:44:21+01:00 2021-10-04T12:44:21+01:00In: GDPR

Using SCC’s

  • 0

Hi, looking for some guidance if possible please.
We are considering use of Fly to host a couple of our applications. They are “packaged” into containers and deployed into specific data centers and not moved. We would be using their UK based data centers – should I still consider using SCC’s?

  • 7 7 Answers
  • 0 Followers
  • 0
Answer
Share
  • Facebook

    7 Answers

    • Voted
    • Oldest
    • Recent
    1. DPOandCyber

      DPOandCyber

      • 0 Questions
      • 3 Answers
      • 0 Best Answers
      • 3 Points
      View Profile
      DPOandCyber
      2021-10-13T11:19:14+01:00Added an answer on October 13, 2021 at 11:19 am

      https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

      The current UK SCCs are likely to have a very short shelf life (it is likely we will see new ones in 2022 based off the ICO consultation carried out). If those draft ones get approved through parliament, then there will be a handy addendum that takes the EU SCCs and makes them compliant with UK GDPR.

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
    2. DPOandCyber

      DPOandCyber

      • 0 Questions
      • 3 Answers
      • 0 Best Answers
      • 3 Points
      View Profile
      DPOandCyber
      2021-10-13T11:18:52+01:00Added an answer on October 13, 2021 at 11:18 am

      This is a great example of a grey area! The most important thing is to document your thought processes in an assessment. The source of the data (if there is data relating to EU individuals then it requires EU GDPR) is important when considering how you approach your assessment.

      You may wish to take a look at the EDPB guidance and carry out the checklist. Based on the question, data of UK and potentially EU individuals is accessible by a US organisation that could be compelled through the likes of a FISA request to use the data for other than its intended use. This is where your assessment comes in handy. Is the data you process likely to present real or significant harm to the individuals if it is compromised is the main question to ask, then assess the risk of the setup based on your answer.

      The EDPB guidance offers what is more commonly known as a Transfer Impact Assessment or TIA.

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
    3. Caroline

      Caroline

      • 0 Questions
      • 1 Answer
      • 0 Best Answers
      • 1 Point
      View Profile
      Caroline
      2021-10-04T18:14:15+01:00Added an answer on October 4, 2021 at 6:14 pm

      Hi, apologies, I should have mentioned that we are based in the UK and would opt to use the UK data center so technically the data doesn’t leave the UK however the organisation are US based and may well have access to our data – limited though that is. Would a DPA still be sufficient for this?

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
      • d9d9d9

        d9d9d9

        • 0 Questions
        • 9 Answers
        • 0 Best Answers
        • 9 Points
        View Profile
        d9d9d9 Rising star contributor
        2021-10-05T14:53:10+01:00Replied to answer on October 5, 2021 at 2:53 pm
        This answer was edited.

        Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
        If you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/

        • 1
        • Reply
        • Share
          Share
          • Share on Facebook
          • Share on Twitter
          • Share on LinkedIn
    4. d9d9d9

      d9d9d9

      • 0 Questions
      • 9 Answers
      • 0 Best Answers
      • 9 Points
      View Profile
      d9d9d9 Rising star contributor
      2021-10-04T14:33:10+01:00Added an answer on October 4, 2021 at 2:33 pm

      If your data leaves the UK and gets transferred to a third country that doesn’t enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you’ll also have to assess the standard of data protection of the recipient country (https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf and https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf).

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
      • BlueBottle

        BlueBottle

        • 0 Questions
        • 26 Answers
        • 0 Best Answers
        • 27 Points
        View Profile
        BlueBottle Bronze contributor
        2021-10-20T12:03:21+01:00Replied to answer on October 20, 2021 at 12:03 pm

        You’re right, and it’s a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO’s modified version of the “old” EU SCCs.

        The new UK IDTA would be the transfer tool once approved, but they’ve also got an addendum for the new EU SCCs where it’s not possible/practicable to modify terms.

        • 0
        • Reply
        • Share
          Share
          • Share on Facebook
          • Share on Twitter
          • Share on LinkedIn
    5. d9d9d9

      d9d9d9

      • 0 Questions
      • 9 Answers
      • 0 Best Answers
      • 9 Points
      View Profile
      d9d9d9 Rising star contributor
      2021-10-04T14:32:20+01:00Added an answer on October 4, 2021 at 2:32 pm

      Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn

    Leave an answer
    Cancel reply

    You must login to add an answer.

    What is 8 + 4?

    Forgot Password?

    Sidebar

    Ask A Question

    Trending contributors

    Smurf333

    Smurf333

    • 11 Answers
    Bronze contributor
    Dave_Wylie

    Dave_Wylie

    • 28 Answers
    Bronze contributor
    CRodica

    CRodica

    • 6 Answers
    Rising star contributor
    Atis

    Atis

    • 4 Answers
    Andrea

    Andrea

    • 15 Answers
    Bronze contributor

    Recent questions

    • Anonymous

      Instagram!!

      • 0 Answers
    • Olga

      DPO in EU and UK

      • 0 Answers
    • Smurf333

      DBS scenario with HR retaining excessive information for longer than ...

      • 0 Answers
    • CRodica

      Parties role towards employees data for administrative purposes

      • 0 Answers
    • Donna

      ‘serious harm test’ for health data

      • 0 Answers

    Explore

    • Home
    • Categories
      • GDPR
      • Privacy Management
      • Professional Development
      • Software tips and tricks
      • Polls
    • Help
    • About Watercooler

    Footer

    Your privacy

    • Cookie notice
    • Privacy notice

    Terms and policy

    • Acceptable Use Policy
    • Terms of Use

    © 2021 DPOrganizer. All Rights Reserved. With Love by DPOrganizer.