Simplifying the transfer of personal information to the UK

After Brexit, under the provisions of the agreement governing cooperation with the EU, the transfer of data to the UK was conditionally not treated as a transfer of data to a third country within the meaning of the GDPR. Therefore, it did not require additional safeguards such as standard contractual clauses. The agreement stipulated that such an arrangement would last no longer than 30 June 2021.

The decision of the European Commission came into force almost at the last minute – only on 28 June 2021 and will be in force until 27 June 2025. After that time, the decision may be extended.

What does it mean for data controllers?

No need to apply additional safeguards

When transferring personal data to the UK, it will not be necessary to apply additional safeguards indicated in Article 46 RODO (including binding corporate rules, standard contractual clauses) or to resort to exceptional measures indicated in Article 49 RODO (e.g. obtaining consent for transfer of personal data to a third country).

Updating of information clauses

Controllers transferring personal data to the UK should review their information clauses and update their content if necessary. Data subjects should be informed that their data is being transferred to a third country that has been recognised as providing an adequate level of data protection in accordance with a decision of the European Commission.

Verification of data processing documentation

In the register of personal data processing activities, controllers should review the processes in which the transfer of personal data to the UK occurs and complete their description with the transfer of data to a third country.

What does this mean for data processors?

Processors should review the content of their processing entrustment agreements for transfers of data to a third country, in particular whether they have been instructed by controllers to process personal data in this way, or whether the agreement prohibits them from transferring data to third countries or requires them to obtain prior consent for such transfers.

Which third countries have been deemed to have an adequate level of data protection by the European Commission?

The most recent countries for which the European Commission has issued adequacy decisions are the United Kingdom and Japan. Previously, adequacy decisions were issued against: Switzerland, Canada (to a limited extent), Argentina, Guernsey, Jersey, Isle of Man, Faroe Islands, Andorra, Israel, Uruguay and New Zealand. The decision against the United States (Privacy Shield) was declared invalid by the Court of Justice in 2020 in the Schrems II case.