Brexit: Privacy Changes
Are you an UK-based company sharing personal data with EU companies or an EU-based company with branches in the UK? Then the following information about Brexit and its privacy changes will provide you assistance in a hands-on way.
After leaving the EU on Jan. 31, 2020, the United Kingdom has now also left the EU single market and the customs union on Jan. 1, 2021. In a marathon negotiation, the European Commission and the United Kingdom wrestled over the conditions of their future cooperation. The result: On December 31, 2020, they agreed on a trade and cooperation agreement that also regulates data transfers from the EU to the United Kingdom and their evaluation under data protection law. It stipulates, for example, that the UK will not be classified as an “unsafe third country” for a further transitional period of 4 months. This transition period can then be extended by a further two months. The prerequisite is that the British adhere to their national data protection regulations based on the GDPR for this period. A deviation would only be permissible with the consent of the EU. Hereafter, hands-on details about the privacy changes during the Brexit transition phase are listed.
Are you an UK-based company?
In the UK the national data protection law, the Data Protection Act 2018, was adapted to the GDPR (DPA 2018). In preparation for the period after the end of the Brexit transition phase, the provisions of the GDPR were essentially adopted and supplemented in UK law with linguistic adjustments.
Both the DPA 2018 and the GDPR claim to have extraterritorial effect. As a result, companies that process personal data in the UK and in the EU must comply with both the DPA 2018 and the GDPR after the end of the transition period. The same applies vice versa for companies in the EU that process personal data of data subjects in the UK.
For UK companies sharing personal data with EU companies, European data protection rules remain hugely important even if they leave the European Economic Area (EEA). If non-European companies (see EU Representative) continue to offer their goods and services to individuals located in the EU, they will still be within the scope of European data protection regulations (known as the place of market principle). As a UK company, it is necessary to check in particular
- which supervisory authority is competent in the EU,
- whether there is an obligation to appoint an EU Representative pursuant to Art. 27 EU GDPR,
- whether a data protection officer must also be appointed for the EU (e.g. according to BDSG),
- whether the envisaged adequacy decision for the UK has been issued in the meantime; as long as this is not the case, whether the EU standard data protection clauses have been concluded,
- if UK law remains unchanged, these companies may have to comply with more than one jurisdiction from then on.
We would be happy to assist you as your EU Representative.
Contact us for a free initial consultation.
Are you an EU-based Company with branches in the UK?
If a company processes personal data from the EU in the course of its activities, the situation must be treated as a third-country situation once the transition period has expired. Consequently, it must be ensured that the data processing within the group is secured by a measure described in Chapter V of the GDPR.
Depending on the size of the group, it may be advisable to implement binding corporate rules (BCR) that must first be found appropriate by the supervisory authority. Depending on how the joint intra-group data processing is organized, the group companies act as joint controllers or controllers and processors. However, other mechanisms, e.g., certification of the group company in the UK, may also justify the data transfer, once such certification exists.
At the same time, it is important to check whether UK data protection law (DPA 2018) imposes requirements on the transfer of data from the UK to third countries, eg. EU. In particular , companies should check whether an EU representative is to be appointed in the UK, in this setting and vice versa
For EU-based companies with branches in the UK an adequate level of data protection should be ensured by
- setting up a data protection organization in the company that meets the data protection requirement for the EU (GDPR) and UK jurisdictions (DPA 2018).
- implementing EU standard data protection clauses or through the Binding Corporate Rules in the case of data exchange between group companies or
- introducing exceptions for certain cases, such as an explicit consent of the data subject or the transfer for the fulfilment of a contract with the data subject.
- reviewing your company’s privacy impact assessments (PIA’s) for implications related to data transfers to the UK.
- adapting the list of processing activities.
Do not waste time! Create conditions for legally data exchange in compliance with the privacy changes during the Brexit transition phase. If you need assistance, contact us.
WHY WORK WITH US?
TALK TO EXPERTS
For the free initial consultation, you can request an appointment using the buttons below. In order to prepare for the consultation meeting, we will ask you to answer a few questions in advance. The more detailed your answers are, the better we can evaluate and discuss your individual situation with you.