Brexit: which consequences for data flows to the UK?
No one can be unaware that the United Kingdom left the European Union on 31 January this year. But what are the consequences for the protection of personal data? Here’s a quick overview of the rules to bear in mind.
Does the GDPR still apply in the UK?
Yes, until 31 December 2020 the GDPR will continue to apply. This has been included in the withdrawal agreement.
Are there any formalities to be completed if I transfer data to an English company?
No. As long as we are in the transitional period (until 31 December 2020), no additional formalities are necessary for data transfers to the UK. There is no need to provide for appropriate safeguards as provided for in Articles 44 et seq. of the GDPR. Note that the transitional period may be extended by one or two years.
And after 31 December 2020?
During the transitional period, the EU and the UK will negotiate and define their future relationship. The issue of personal data flows will have to be part of this negotiation. After the transitional period, appropriate safeguards for data transfers will therefore need to be in place unless the European Commission recognises the UK as a country offering adequate protection. It will then be part of the “white list” along with Argentina, Andorra, Canada (PIPEDA), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (Privacy Shields).
What do I have to think about?
In your contracts with UK partners, include clauses that make it easy to review the rules for the transfer of personal data.