With the European Union passing an adequacy decision and allowing a new E.U.-U.S. Data Privacy Framework (DPF), UKG is now a certified organization under the framework, effective July 17, 2023. This change provides additional reassurances related to cross-border transfers of personal data from the European Union to the United States in a way that’s compliance with E.U. data protection laws. Here’s a quick breakdown:
A new way to transfer personal data across the Atlantic
The E.U.-U.S. DPF is a new framework that allows organizations to transfer personal data from the European Union (EU) to the U.S. This is a welcome step towards greater transatlantic cooperation on data protection.
Recently, changes to U.S. intelligence-gathering requirements enabled the path to the new framework for transfers of E.U. personal data. Transfers based on the adequacy decision do not require any specific authorization under Article 45 of General Data Protection Regulation (GDPR) to legitimize transatlantic data transfers.
Understanding General Data Protection Regulation
The GDPR is a regulation in E.U. law on data protection and privacy for all individuals within the E.U. and the European Economic Area (EEA). It also addresses the export of personal data outside the E.U. and EEA areas. GDPR aims primarily to empower individuals by giving them more control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the E.U.
The E.U.-U.S. DPF and GDPR are sets of rules designed to protect the privacy of personal data. UKG will continue to abide by the Standard Contractual Clauses and other applicable cross-border mechanisms, including for transfers out of the United Kingdom and Switzerland for intra-group transfers and transfers to our subprocessors. The Standard Contractual Clauses will remain a valid instrument to demonstrate our compliance with Article 28 of GDPR.
Currently, UKG uses multiple mechanisms to provide you with cross-border transfer security and greater customer protection:
- An inter-company agreement applicable to all UKG affiliates
- Standard Contractual Clauses (SCCs), which are included in the UKG Data Processing Agreement and reflects best-in-industry commitments
UKG continues to abide by the SCCs and other applicable cross-border mechanisms, including for transfers out of the U.K. and Switzerland for intra-group transfers and transfers to our subprocessors. The SCCs remain a valid instrument to demonstrate UKG compliance with the GDPR.
Additionally, UKG maintains its Privacy Shield certification and is in the process of adopting the required changes to our privacy notice to transition to the DPF by mid-October 2023.