Data Protection Topics for Retailers in 2021

Age Appropriate Design Code 

The Age Appropriate Design Code (the “Code”) came into force on 2 September 2020. There is a 12-month transition period, meaning that organisations must comply with the code by 2 September 2021. The Code has a very broad scope, applying to information society services likely to be accessed by children (under 18s) in the UK. In the retail space for example, this could cover apps, connected toys, social media services, devices or websites offering other goods or services to users over the internet. The Code is not limited to services directed only at children; if under 18s are likely to access to service, the Code applies (although some narrow exemptions exist). 

The Code aims to facilitate compliance with the Data Protection Act 2018 and GDPR principles by implementing appropriate safeguards for children’s personal data when children use online services. The Code sets out 15 principles, adopting a risk-based and proportionate approach. The Code includes particular safeguards that must be built into the design of a platform. The overarching theme (as set in Principle 1) is that the best interests of the child must be put first when designing such online services.

A recent ICO survey found that three quarters of businesses were not aware of the Code. Businesses should start preparations now (to the extent not done so already) and seek legal advice. 

Data Transfers

The Schrems II judgement of July 2020 shone a regulatory spotlight on data transfers outside the EU. Retailers who are transfer data from the UK and/or EEA to third countries (particularly the US where the Privacy Shield has been invalidated) will need to consider this judgement and its ramifications for data transfers. The decision affects businesses (including retailers) who rely on data transfer agreements (Standard Contractual Clauses “SCCs”) to transfer personal data to jurisdictions outside the EEA where there is no adequacy decision. Whilst SCCs remain valid, the data exporter must assess the laws and practises of the recipient jurisdiction for equivalency with UK / EU law. If they are not equivalent, supplemental measures must be implemented. 

The European Data Protection Board published draft guidance on these supplemental measures in November 2020 which we discuss further here. These include technical measures, such as encryption and pseudonymisation (provided the key remains in the EU). Whilst an effective measure, this can cause problems for data importers seeking to review the data in the clear. Technical measures are therefore best suited for data storage in the recipient country. The EBDP highlighted two further categories of supplement measures; contractual measures and organisational measures. The latter includes internal data protection policies and procedures, such as guides for handling law enforcement data access and proper escalation processes. 

Employees Returning to Work

The UK Government released a much-anticipated roadmap for its route out of lockdown. Going well, non-essential retail is expected to open in the second half of April (including personal care, leisure facilities and outdoor hospitality venues). Retailers will be planning for the safe return of workers to their outlets, which in turn raises some important data protection questions on health data and vaccinations. Health data is categorised as special data, so requires increased protection under GDPR.

It is reasonable for a retailer/employer to collect data regarding their employees’ COVID-19 symptoms provided there is good reason to do so. This also extends to household members. The ICO specifically flagged the data minimisation principle here; only the minimum amount of information required to fulfil the retailer’s purpose should be collected and retained. A retailer/employer may also ask employees if they have been vaccinated if there is good reason to do so i.e. to take necessary steps to keep staff and the public safe. If the retailer/employer’s goal could be achieved by less ‘privacy intrusive’ means, they should. Alternatively, a retailer/employer cannot require an employee to be vaccinated under relevant UK legislation. For more guidance on this topic (including from an international perspective), please see our materials here. 

Appointing EU/UK Representatives After Brexit 

Article 27 (EU) GDPR requires those located outside the EU whose data processing activities fall under the jurisdiction of the GDPR by virtue of Article 3(2) GDPR to designate a representative for GDPR compliance purposes in the EU. Organisations, such as retailers, who have no business presence in the EEA (including the EU) are caught if (i) they offer goods or services to individuals in the EEA or (ii) they monitor the behaviour of individuals in the EEA. By way of example, retailers who are processors/controllers of data, and (i) who sell their goods and services in the EU, (ii) use pan-EU supply chains, or (iii) use targeting advertising based on EEA individuals, will be caught. Many UK, US and Chinese retailers which don’t have physical operations in the EU but who target EU markets online fall into this category as well.  

EU representatives act on behalf of processors/controllers who are not established in the EU regarding their GDPR obligations. They act as communication point for data subjects and supervisory authorities in the EU (e.g., regarding enforcement actions for GDPR non-compliance). Now that the Brexit transition period has ended, UK-based organisations who have no business presence in the EU, but fall under Article 3(2), will need to appoint an EU representative. Further, a UK representative will no longer suffice as an EU representative.

Similarly, the UK GDPR requires that processors/controllers situated outside the UK, but falling under the scope of the UK GDPR (containing analogous wording to EU GDPR), will need to appoint a UK representative. 

See more information on appointing a EU/UK representative with us here.