Certified Information Privacy Professional – United States (CIPP/US) — Question 85

A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides.
How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

Answer options

• A. By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.
• B. By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.
• C. By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.
• D. By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.

Correct answer: C

Explanation

The correct answer, C, is right because existing EU BCRs are not recognized under the UK regime, and a new application for UK BCRs is necessary to ensure compliance. Option A is incorrect as a code of conduct alone does not suffice without the appropriate regulatory framework. Option B is wrong because EU SCCs do not automatically apply under UK data protection laws after Brexit. Option D is not sufficient for legal compliance as employee consent does not negate the need for proper data transfer mechanisms.