Brexit and the GDPR
UK companies doing business in the EU as well as EU companies doing business in the UK may be affected by Brexit when it comes to processing personal data. In this article we outline the impact of Brexit on the transfer of personal data between the UK and the EU and vice versa.
The UK DPA and the EU GDPR
The Data Protection Act (DPA) of 2018 is the UK’s version of the GDPR. There are many similarities between the DPA and GDPR, such as rules and principles for:
- Legal grounds for processing personal data, where grounds such as consent, performance of a contract or vital interest apply;
- Purpose limitation for processing personal data, where processing cannot take place in a manner incompatible with the original, explicit purpose;
- Accuracy of personal data being processed and stored, where measures such as erasure or rectification have to be taken when personal is inaccurate or incomplete;
- Retention of personal data, also known as storage limitation, where personal data cannot be stored longer than necessary.
Furthermore, under both DPA and GDPR, strong legal protection applies for special categories of personal data, such as ethnical data, religious beliefs and membership of political parties and/or trade unions. Individuals, known as ‘data subjects’ under GDPR, have the right to know what personal data organizations process about them.
Territorial scope – The UK becomes a ‘third country’
Up until December 31st 2020 the UK was in a transition period, which meant that the transfer of personal data from the EU to the UK and vice versa was not considered different from a transfer from, for example, The Netherlands to France and vice versa.
From January 1st 2021 the situation has changed. With Brexit being into effect from that date, the UK becomes a “third country” according to GDPR. This means that other rules apply for the transfer of personal data from and to the EU. Art 44-50 of GDPR set these rules. In short, these rules state that transfer of personal data from the EU to a third country (in this case the UK) is subject to appropriate safeguards, including but not limited to an Adequacy Decision (art 45 GDPR), Standard Contractual Clauses (art 46 GDPR) or Binding Corporate Rules (art 47 GDPR).
No changes in transfer of personal data until May 1st 2021
The Brexit deal concluded on December 24th 2020 states that in the first 4 months of 2021, the transfer of personal data may still take place in the same way as before. But only if the UK does not change the rules for the protection of personal data during this period. This means that until May 1st 2021, if you transfer personal data to the UK, nothing will likely change for you. How the situation will be after that is not yet known. The period of 4 months can possibly be extended to 6 months.
The UK government has indicated that it will remain possible to transfer personal data freely from the UK to the EU Member States.
Possible implications for UK companies after May 1st 2021
For companies located in the UK, some of their activities may still be within the scope of the GDPR after Brexit. This is the case when:
- The company offers goods or services to data subjects inside the EU, regardless of financial transactions taking place;
UK controllers or processors that remain subject to the GDPR, should in some cases appoint an ‘EU representative’. The conditions to appoint a representative are:
- The UK company has no offices, branches or other establishments in the EEA;
- The goods or services must be offered to a data subject, i.e. to an individual.
The representative acts on an UK company’s behalf in relation to GDPR compliance and deals with EU Data Protection Authorities and data subjects in this respect. Details of the representative should be provided to EU-based individuals whose personal data are processed, for example by including the representative in a privacy statement published on a website.
Please contact our IT consultants in case of any further questions about Brexit & the GDPR and the possible impact for your company.