How Brexit affects the transfer of personal data
18 January 2021
Prior to the end of the Brexit transition period on December 31st 2020, the General Data Protection Regulation (GDPR) continued to apply to all transfers of personal data to the United Kingdom. Once the deadline passed, the UK was to be considered a so-called third country, and would consequently have been subject to the requirements for transfer of personal data to third countries as stated in chapter 5 GDPR.
Due to a temporary agreement reached between the UK and the EU commission during the Christmas holidays, continuity was secured and, for now, the transfer of personal data can be done as if the UK still was covered by the GDPR. This temporary agreement is in place until June 30th 2021.
Since January 1st 2021, the UK has applied its own separate, national data protection legislation, which aligns with the GDPR obligations. It is presumed that the UK will be added to the list of countries with a corresponding adequate protection level when the temporary agreement expires, thus allowing for continued transfer without calling for additional security measures. This presumption is partly supported by the fact that the temporary agreement has been reached at all. The UK, for its part, has assessed on a transitional basis that the EU and the EEA states have an adequate level of protection for data transfers from the UK to be permitted.
Should the EU commission decide not to add the United Kingdom to this list of countries with an equivalent protection level, the UK will be considered a third country and chapter 5 of GDPR will be applied from July 1st 2021 with the following implications:
- Transfer of personal data to the United Kingdom requires the performance of adequate security actions such as standard contractual clauses or binding corporate rules (“BCR”) in compliance with article 46;
- Furthermore, the consideration of extended security actions such as encryption and pseudonymisation could become necessary, comparable to other third countries in order to reach a security level equivalent to the one within the EU (here the European Data Protection Board’s recommendation (01/2020) can be applied).
- Controllers and processors will have to comply with all obligations deriving from GDPR. These obligations include, among other things, the update of records of processing activities (“ROPA”) and updating privacy policies to include transfers to the UK.
- For data transfer from the UK to EES countries, guidance on how to apply the national British data protection legislation can be found on, for example, the ICO website.
Organisations that currently engage in transferring personal data to the UK should already be mapping such data transfers as well as updating their ROPA and privacy policies. Existing processor contracts will need updating with standard contractual clauses (an updated version has been issued by the EU Commission), and additional security measures should be reviewed. If personal data is transferred from the UK to an organisation within the EES, compliance with national British legislation will have to be checked.
At Zacco, we advise on all matters concerning EU data protection regulation. We cover both IP-related legal and technical aspects, making sure that your handling of personal data complies with all relevant regulations. If you are wondering how Brexit affects your business from a GDPR perspective, we can advise and assist. Please get in touch with Peter Friis, Linda Methlie, Kristian Elftorp, Jennifer Godorn or your trusted Zacco representative to learn more. For queries on data transfer from the UK, please contact Alison Lawson or Coreena Brinck.
Back to all news