First, in 2018, the DPA implements the requirements of the EU GDPR into UK law. Second, the UK government has adopted a legal instrument – data protection, privacy and electronic communications (Amendments, etc.) (EU Exit) Regulations 2019 – that amends the DPA in 2018 and combines it with the requirements of the EU GDPR in order to put in place a data protection regime that will work in a UK context after Brexit. The extraterritoriality of the UK data protection framework will continue to apply. This means that controllers or processors established outside the UK, who process personal data about individuals in the UK in connection with the provision of goods and services or the monitoring of their behaviour, are caught red-handed. It is essential that this includes managers and processors established in the EEA. One of the long-heralded benefits of the GDPR is the „one-stop-shop“ regulatory system for organisations that process personal data across the EU. According to the ID, the UK can no longer participate (meaning that companies that currently have their Lead SA in the UK must consider the location of a Lead SA in the EU). They may also wonder if they need an EU-based DSB. For more information, see our article. EEA data flow to the UK – Interactive tool Whatever your choice to address the issue of Brexit, it is important to check that all existing contracts and conditions are in line with your intentions. This is particularly the case for data transmission contracts or data processing agreements.
While the UK will rely on an alignment position with the EEA on data protection, the EU has expressed some reservations that could be a stumbling blocks for adequacy. Concerns were reinforced following the release of the UK`s national data strategy, which indicated that the UK could derogate from the GDPR in the future, and followed Boris Johnson`s statement in February 2020 that the UK would try to put in place „sovereign controls“ over data protection. The review will focus on the United Kingdom`s agreements on the exchange of data with the United States under the Agreement on Access to Electronic Data for the Purpose of Combating Serious Crime and on transfer to the United States in general. The EU is also concerned about possible access to EU data by UK national law enforcement and security authorities, a topic highlighted in the recent ECJ ruling in Privacy International. If you need advice or guidance on the impact of Brexit on your company`s confidentiality obligations, contact one of our experts. Call +44 (1474) 55 66 85 or request a reminder via the form below. Therefore, prudent organisations processing the personal data of UNION citizens should take measures to ensure that they continue to comply with the law after 31 December 2020, in the absence of an adequacy decision. Our webinar, aimed at small and medium-sized organisations, examines the main data protection requirements that need to be taken into account at the end of the transitional period of exit from the EU. In the absence of a Brexit deal between the UK and the EU covering data protection and data transfer agreements, the answer is no. The Commission should be subject to an evaluation procedure before it can grant adequacy.
Despite requests from the British government, this process is in mind. the Commission is currently of the opinion that it will not start the process until the UK leaves the EU and becomes a third country. Article 45 of the GDPR specifies what the Commission should take into account when examining adequacy. Similarly, the UK GDPR responds to Article 27, so that controllers and processors who are not established in the UK (including those in the EEA) are required to appoint a representative in the UK, unless they are a public authority; or their processing is only occasional, low-risk and does not contain specific categories or large-scale criminal data. To learn more about the role of the representative, click here. The on-the-post transmission of data originating in the EEA could be more problematic, as EEA protection will be necessary. . . .