Brexit and transfer of personal data to the UK
Will BREXIT affect the transfer of personal data to the UK?
With the approaching date of the UK’s withdrawal from the European Union, there are more and more doubts about the flow of personal data between the United Kingdom and EU countries. The result of the ongoing negotiations on contractual brexit regulation is still uncertain and entrepreneurs must be ready for the fact that an agreement satisfactory for both parties might not be achieved.
From March 30, 2019, the United Kingdom will cease to be a member of the EU and will become a “third country” within the meaning of the GDPR. This means that the transfer of data to the United Kingdom will require the implementation of appropriate security measures, such as the current transfer of data to Russia or China. The solution to this situation would be the adoption by the European Commission of the so-called decision on the adequacy of the United Kingdom confirming that it provides an adequate level of data protection. However, at the current stage of the negotiations it is unknown whether it will be possible to implement appropriate solutions before brexit and what shape the brexit deal will ultimately take. Now it is worth to prepare for each scenario to ensure smooth transfer of personal data to the UK, regardless of the outcome of the negotiations.
According to art. 46 section 1 of GDPR, an entity that decides to transfer personal data to a third country or an international organization, is obliged to provide appropriate security measures to ensure the desired level of personal data security. GDPR in art. 46 provides, for this purpose, a number of measures, some of which require the approval of the supervisory authority and some may be implemented directly by an agreement between the entities.
Entities that massively process personal data within a capital group may decide to adopt binding corporate rules (BCR). However the process of introducing such rules is time-consuming and requires approval of content of these rules by the supervisory body. Entrepreneurs processing personal data systemically, especially as part of outsourcing services, can use standard data protection clauses (SCC) adopted by the European Commission (both in the relations of the controller – the processor and the controller – controller). Those can be an integral part of the service contract or a separate document regulating the transmission of data. The project of implementation of such contract may be prepared earlier and used in March 2019, if necessary.
There are currently three decisions of the European Commission approving standard contractual clauses:
- decision to accept SCC No 2001/497 / EC,
- decision on the adoption of SCC No. 2004/915 / EC,
- Decision on the adoption of SCC No. 2010/87 / EU.
Choosing the right set of clauses depends on the role of the parties to the contract in the processing of personal data as well as on the individual needs of the parties. Standard contractual clauses may be supplemented with additional provisions, unless they are in conflict with the content of the clauses and will not weaken their provisions.
In the event that the decision on adequacy for the UK is not issued and the entrepreneur fails to provide adequate data protection measures, e.g. in the form of SCC or BCR, the transfer of personal data can only be made exceptionally, on the terms specified in art. 49 of GDPR, for example when:
- the data subject informed about the existing threats and the lack of adequate protection measures agrees,
- where it is necessary for the conclusion or performance of a contract concluded, in the interest of the data subject, between the controller and another natural or legal person,
- when it is necessary for the investigation or protection of claims.
If you provide your personal data to the United Kingdom or plan such activity in the near future, we recommend that you now prepare for possible changes in the transfer method. Our Law Firm will help you choose a solution adjusted to your individual needs.