EU to UK Personal Data Transfers Post the Brexit Transition Period

In Gary Payne’s third article on the effect of the end of the Brexit transition period on personal data transfers between the European Economic Area (EEA), the European Union (EU), and the United Kingdom (UK), he looks in closer detail at the likely consequences for data controllers and data processors.

Previous articles:

  1. Personal Data Transfers to and from the EU Post Brexit (19 December 2020)
  2. Personal Data Transfers to and from the EU after the Brexit Transition Period (Post Transition Update) (04 January 2021)

Firstly, let us clarify the position regarding personal data of EEA / EU data subjects processed by UK controllers and processors. The UK left the EU on 31 January 2020 and moved into an agreed ‘transition period’ until 31 December 2020, and as the UK moved beyond the transition period, the UK became a third country.

For personal data of EU data subjects to be processed in a third country, there must be a legal mechanism in place. The primary mechanism sought by most third countries is ‘Adequacy’ which is where the European ‘Commission (EC) has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation’ (EU GDPR Art. 45.1). The UK is seeking a decision on adequacy however, that may take four to six months.

Where an adequacy decision does not exist, transfers of EU data subjects’ personal data may still take place using one of two other mechanisms which are Standard Contractual Clauses (SCC) and or Binding Corporate Rules. These are each designed for different controller and or processor relationships.

SCC are used between two unconnected parties e.g., the controller in the EEA / EU transfers personal data to a UK processor that is a different and or unconnected organisation. BCR are used within a group of organisations where one establishment in that group transfers EU data subjects’ personal data to other parts of the group; BCR principally covers internal group data transfers. There are some EU data subjects’ personal data processing carried out in third countries to which neither SCC and or BCR applies (see Processing and or Transfers of Personal Data Matrix below). Note, the group of organisations could all exist outside the EEA / EU and if there are no establishments belonging to the group based within the EEA / EU, then there may also be a requirement for an EU Representative.

Some UK controllers and or processors, may be processing EU data subjects’ personal data that was received prior to 31 December 2020 and this must be treated as Legacy data and the table below, provides an outline of the various ‘periods’ pre- and post-Brexit transition:

Legacy Period

Up to 31 December 2020

Bridge Period

01 January 2021 to 30 April 2021

Bridge Extension

01 May 2021 to 30 June 2021

Adequacy Decision

Either from 01 May 2021 or 01 July 2021

No Adequacy

Either from 01 May 2021 or 01 July 2021

Organisations need to identify all personal data of EEA / EU data subjects that existed prior to 31 December 2021. This will be ‘legacy’ data and in the event of no adequacy decision, this legacy data will be subject to EU GDPR as it stood on 31 December 2021

The EU has agreed to delay transfer restrictions for a minimum period of four (4) months which can be extended up to six (6) months. This is the Bridge period.

At the end of the Bridge period, if no adequacy decision is achieved, then transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions.

Data transfers from the EEA / EU to the UK, EU GDPR Article 45 applies, and it is likely that Article 27 also applies.
See below.

Data transfers from the UK to the EEA / EU no current restrictions apply.

Data transfers from the EEA / EU to the UK, EU GDPR Article 46 applies, and Article 27 will most likely also apply.
See below.

Data transfers from the UK to the EEA / EU, no current restrictions apply.

If UK organisations receive personal data of EEA / EU data subjects, then these organisations should actively prepare alternative transfer safeguards e.g., BCR or SCC, to be in place before the end of the four-month period (end of April 2021. These safeguards may not be required should adequacy be achieved; however, UK organisations should be prepared.

The main question remains, what do organisations need to do and or prepare for? Gary Payne has tried to answer this using the table in the image below (click image to ‘pop-out’ full sized version or click here for a PDF version). The table covers the principal situations organisations will find themselves in however, if you identify your organisation in one of those shown, you should seek specific guidance to your organisation’s data processing from a data protection professional.

Data Privacy

When you Submit the enquiry form you will be sending us your Personal Data. To understand how we handle your data please read our Privacy Statement and Policy.