Personal Data Transfers to and from the EU Post Brexit
Important, at the time of publishing this article (19 December 2020), the United Kingdom and European Union had not agreed any ‘trade deal’ for the end of the transition period, neither had the UK been deemed by the EU as a country on the Adequacy List for the transfer of personal data of EU Data Subjects and would therefore become a ‘third country’ for personal data processing.
Note: Following the end of the Brexit Transition Period and the EU-UK Trade and Cooperation Agreement, we have provided an important update to this article which should be read first.
Transferring Personal Data from the EU to the UK
31 December 2020 at 23:00hrs will see the end of the Brexit transition period and as of that point onward, the Regulation (EU) 2016/679 (the General Data Protection Regulation / EU GDPR) will be absorbed into UK law as the UK GDPR with some ‘technical adjustments’ under the Keeling Schedule and the United Kingdom will become a ‘third country’ for the processing of personal data of European Union data subjects. The UK GDPR together with the equally adjusted Data Protection Act 2018 (DPA 2018) and the adjusted Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), will comprise the personal data protection legislation in the UK.
This means that the pre-Brexit unrestricted movement of personal data across the border of any EU member state into the UK for processing must now have an ‘alternative transfer mechanism such as Standard Contractual Clauses (SCC)’ or Binding Corporate Rules (BCR).
The requirement for BCR or SCC will likely only apply to personal data that is transferred for processing inside the UK under the EU GDPR (or going the other way into the EU under the DPA 2018), and not to ‘necessary’ personal data transfers.
Necessary transfers are those directly from a consumer in the EU purchasing a product or service from an organisation in the UK. For example, an EU data subject intending to travel to the UK and who books a hotel. The transfer of their own personal data that enables the booking is unrestricted under EU GDPR and UK GDPR however, the transfer the personal data of others in making a block booking for a group would not be classed as a necessary transfer, requiring the use of the appropriate alternative mechanism. Receiving the personal data of EU data subjects as a necessary transfer will still require that UK controllers and or processors comply with the EU GDPR.
If the personal data of EU data subjects is transferred to a UK controller or processor that is not classed as a necessary transfer and in the absence of an adequacy decision under EU GDPR Article 45, then one of the following transfer mechanisms or appropriate safeguards must be used:
- Binding Corporate Rules (BCR), or
- Standard Contractual Clauses (SCC)
BCR will apply to personal data transfers between two or more establishments within the same group of legally connected organisations. For example, a parent company based in an EU member state that has establishments based in the UK and other EU member states and one of these are classed as the main establishment.
SCC will apply to personal data transfers between two or more organisations which are connected by a contractual relationship. For example, an organisation based in an EU member state that has a contractual relationship with a service provider in the UK which involves the transfer of personal data of EU data subjects for processing in the provision of that contracted service.
Requirement for a European Data Protection Representative
EU GDPR Article 27 lays out the requirement for controllers or processors not established in the EU and means that once the UK moves beyond the transition period, UK based controllers and or processors who are offering goods or services to individuals in the European Economic Area (EEA) or monitoring the behaviour of individuals in the EEA, and where these controllers and or processors have no offices, branches or other establishments in the EEA, will likely be required to appoint a European representative subject to derogations within EU GDPR Article 27.2.
These controllers and or processors will also need to consider in which EU or EEA member state their representative will be based and put in place an appropriate written mandate for that representative to act on their behalf.
Actions to Take
The changes in data protection law via the Keeling Schedule adjustments, the Brexit Withdrawal Bill, Retained EU Law, etc. mean that at the minimum, organisations must revisit their privacy frameworks, policies, and procedures to ensure that the legal terms and position of these, reflect the changes following the Brexit transition period end.
The following table is provided in good faith to give some guidance and shall not constitutes as legal advice. Every UK controller and or processor should seek their own legal clarification specific to their trading circumstance.
|Compliance with EU GDPR||Use of BCR||Use of SCC||EU Representative|
|The UK based organisation receives personal data from EU data subjects directly, when they purchase a product or service.||Mandatory.||Not required.||Not required.||Not likely to be required.|
|The UK based organisation receives the personal data of several EU data subjects from an EU controller or processor, when providing a product, or service, or a business function.||Mandatory.||Required where the personal data is transferred within several organisations across the UK and EU/EEA with a legal connection e.g., a group.||Required where the personal data is transferred between two or more distinctly separate organisations working on a contractual basis.||Likely to be required where the UK organisation has no offices, branches or other establishments in the EEA, the processing in not occasional, does not include large scale processing of special categories of personal data, or processing of personal data relating to criminal convictions.|
|The UK based organisation is specifically marketing or targeting EU data subjects regarding its products and or services..||Mandatory.||Required where the personal data is transferred within several organisations across the UK and EU/EEA with a legal connection e.g., a group.||Required where the personal data is transferred between two or more distinctly separate organisations working on a contractual basis.||Likely to be required where the UK organisation has no offices, branches or other establishments in the EEA, the processing in not occasional, does not include large scale processing of special categories of personal data, or processing of personal data relating to criminal convictions.|