January 18 ,2021
Prior to the end of the Brexit transition period on December 31st 2020, the General Data Protection Regulation (GDPR) continued to apply to all transfers of personal data to the United Kingdom. Once the deadline passed, the UK was to be considered a so-called third country, and would consequently have been subject to the requirements for transfer of personal data to third countries as stated in chapter 5 GDPR.
Due to a temporary agreement reached between the UK and the EU commission during the Christmas holidays, continuity was secured and, for now, the transfer of personal data can be done as if the UK still was covered by the GDPR. This temporary agreement is in place until June 30th 2021.
Since January 1st 2021, the UK has applied its own separate, national data protection legislation, which aligns with the GDPR obligations. It is presumed that the UK will be added to the list of countries with a corresponding adequate protection level when the temporary agreement expires, thus allowing for continued transfer without calling for additional security measures. This presumption is partly supported by the fact that the temporary agreement has been reached at all. The UK, for its part, has assessed on a transitional basis that the EU and the EEA states have an adequate level of protection for data transfers from the UK to be permitted.
Should the EU commission decide not to add the United Kingdom to this list of countries with an equivalent protection level, the UK will be considered a third country and chapter 5 of GDPR will be applied from July 1st 2021 with the following implications:
Organisations that currently engage in transferring personal data to the UK should already be mapping such data transfers as well as updating their ROPA and privacy policies. Existing processor contracts will need updating with standard contractual clauses (an updated version has been issued by the EU Commission), and additional security measures should be reviewed. If personal data is transferred from the UK to an organisation within the EES, compliance with national British legislation will have to be checked.
At Zacco, we advise on all matters concerning EU data protection regulation. We cover both legal and technical aspects, making sure that your handling of personal data complies with all relevant regulations. If you are wondering how Brexit affects your business from a GDPR perspective, we can advise and assist. Please get in touch with Peter Friis, Linda Methlie, Kristian Elftorp, Jennifer Godorn or your trusted Zacco attorney to learn more. For queries on data transfer from the UK, please contact Alison Lawson or Coreena Brinck.
The original version of this article was published on Zacco.com