Brexit Withdrawal Agreement Personal Data

What will happen to British companies processing data in the EEA during the transition period? You should review your privacy policy so that customers understand the movements of their personal data inside and outside the EU. However, this route is not possible if the UK organisation is responsible for processing and if the third party established outside the EEA is an EU personal data processor. The United Kingdom withdrew from the European Union on 31 January 2020. On the basis of the withdrawal agreement ratified by both the European Union and the United Kingdom, a transition period during which EU legislation will continue to apply to the UK will last until 31 December 2020. With regard to personal data, the situation remains unchanged and there is therefore no need to set up a transfer mechanism under Chapter V of the RGPD or the Criminal Prosecutions Directive. The UK Government stated that at the end of the transition period, data transfers from the UK to the EEA would be allowed. She says she will keep that up to date. The UK government intends to recognise the adequacy decisions taken by the European Commission before the end of the transition period. This will allow for continued limited transfers from the UK to most of the organisations, countries, territories or sectors covered by an EU adequacy decision. More information is available in our guidelines on international data transfers at the end of the transition period.

It is therefore necessary to find another mechanism (for example. (B) the consent of the person concerned) allowing UK processors to transmit personal data to a non-EEA data processor. For more information on the default position, see our data protection guidelines at the end of the transition period. We will maintain these instructions on our website during the transition and update them if necessary to reflect any developments. This means that UK organisations must comply with EU data protection legislation (as it stands on 31 December 2020) with regard to the processing of personal data collected before the end of the transition, which relates to people living outside the UK. The RGPD is an EU regulation that will no longer apply to the UK from the end of the transition period. However, if you operate within the UK, you must comply with UK data protection legislation. The Government has stated that it intends to incorporate the RGPD into UK data protection legislation from the end of the transition period – therefore, in practice, the fundamental principles, rights and obligations of data protection in the RGPD will not change much. In the meantime, as we wait for UK data protection legislation to remain aligned with the RGPD, our data protection guide remains a good source of advice and guidance on how to comply with UK and EU data protection rules, both now and after the transition period. During this transitional period, the UK government and the EU will ideally negotiate a data protection agreement that meets the needs of both parties, whether it is an adequacy decision, a data protection shield agreement or another agreement allowing the free flow of data between the UK and the EU.

The UK and EU said they are „committed to ensuring a high level of protection of personal data to facilitate such flows between them“ and hope to have agreements reached by the end of the transition period.