This article explains Reward Gateway’s position to data protection regulations in light of:
- The departure of the United Kingdom (UK) from the European Union (EU) and European Economic Area (EEA) as part of the Withdrawal Agreement.
- The changes that were necessary to sub-processor relationships as part of the Schrems II ruling.
We are happy to discuss this in detail with you should you require further information.
Following the UK’s departure from the EU, will Reward Gateway make any changes to its use of European data centres and sub-processors?
No. There are currently no restrictions on data sharing from the UK to the EEA.
Companies based in the UK will continue to be able to use EEA based processors because the Information Commissioner's Office (ICO) has decided that the EU standards and rules are ‘adequate’.
You can read more about this decision and how the ICO reached it on their website
Are there any increased risks to using EU based data processors?
We do not believe the risks have materially changed for UK data subjects. The EU GDPR continues to be one of the strictest set of Data Protection regulations in the world and the EU based Data Protection Authorities have actively enforced these regulations too.
We will continue to monitor and review the UK ICO's position.
What about transfers of UK data to non-EU countries, like the USA?
Apart from our EU based sub-processors, all of our other sub-processors are based in the USA.
Following the Schrems II ruling, and the invalidation of EU-US Privacy Shield, we reviewed all of our relationships with USA based sub-processors.
We carried out a Transfer Impact Assessment for each sub-processor and looked at the risks to data subjects and what supplementary measures we could introduce, such as:
- Contractual measures - requiring the sub-processor to inform us of requests from law enforcement
- Organisational measures - reviewing transparency reports published by sub-processors
- Technical measures - ensuring data encryption at rest and in transmission using AES256 & TLS1.2 as a minimum.
Our conclusion was that, with supplementary measures in place, the risk to data subjects remains very low and would not materially change as a consequence of moving to Standard Contractual Clauses (SCCs) as an alternative transfer mechanism.
There is not yet an EU approved set of Processor-Processor SCCs that we can sign with our sub-processors. There is also no easy way of us signing SCCs between each customer and our sub-processors. Our approach has therefore been to sign EU approved Controller-Processor SCCs with them. These agreements list Reward Gateway as the data exporter and the sub-processor as data importer and remain valid in the UK throughout the extension period negotiated in the Withdrawal Agreement.
This is all reflected on our Sub-Processor Information document, kept up to date at rg.co/agreements
We will revisit this when the EU publishes more appropriate Processor-Processor clauses and the ICO publishes equivalent, UK approved SCC’s.
Will you sign SCCs with us?
If you are a UK business contracted with Reward Gateway (UK) Ltd
As you are a UK based Data Controller, sharing data with Reward Gateway UK, then SCCs are not required or valid. Per the European Commission "[SCCs are] … for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA)."
If you have an EU entity as part of a UK business contracted with Reward Gateway (UK) Ltd
If you have EU based group companies that use our services, but are contracted with us through your UK entity, then SCCs are again not required. This is because the transfer is between two UK businesses.
You may need a legal mechanism to handle the 'intra group' transfer between your EU and UK entity.
If you are an EU business contracted with Reward Gateway (UK) Ltd
We will happily sign SCCs with you alongside our Data Processing Addendum. Please use the documents available at rg.co/agreements
Does Reward Gateway have a 'Nominated Representative' in the EU, once the UK leaves?
Yes. We have appointed Data Protection experts Castlebridge to provide an Ireland-based Nominated Representative service. They can be contacted through:
Post: Reward Gateway Nominated Representative c/o Castlebridge Nominated Representative Services Ltd, Unit 7, 12 Mountjoy Square North, Dublin 1
You can also find their details in our Privacy Notices.