Possible impact by brexit on transfer of personal data to UK? There is a transition period through Dec. 31, 2020. At least for now, nothing will change.
What happens starting Jan. 1, 2021
The transfer of personal data may still take place in the first 4 months of 2021 in the same way as it does now. This was stipulated in the brexit deal of December 24, 2020. This can only happen if the United Kingdom does not change the rules on personal data protection. Economic
This period may possibly be extended to 6 months and what the situation will be after that is not known at this time and depends on whether or not an adequacy decision has been made by the European Commission regarding the transfer of personal data to the UK.
What if an adequacy decision is made? See exports UK
The free flow of personal data to the United Kingdom can remain free if the European Commission adopts an adequacy decision on the appropriate level of protection for the processing of personal data.
What if an adequacy decision is not made?
The U.K. is considered a third country when transferring personal data, i.e. a country outside the EEA if the European Commission has not made an adequacy decision.
This means adhering to GDPR privacy rules governing transfers of personal data to third countries starting July 1, 2021. Stay up to date via the learning platform .
Which companies are affected by brexit?
For all organizations processing personal data in the European Economic Area, brexit has implications!
- a multinational company that also has a presence in the United Kingdom;
- a Belgian organization consulting a social secretariat in the United Kingdom to calculate wages;
- a Belgian municipality contracting a UK cloud provider for data storage.
It is critical to verify that the organization(s) with whom your organization shares personal data is/are located in the United Kingdom.
What documents are needed after brexit?
- There are standard or purpose-built data protection rules. For more info, contact iReto.
- There are Codes of Conduct or certification mechanisms.
- In international organizations and multinational companies, personal data is always transferred between the SBUs themselves and some business units may be located outside the European Economic Area (EEA). For this purpose, these organizations will establish internal codes of conduct internationally called “Binding Corporate Rules” or BCR for short.
- If one wants or needs to process or transfer personal data to countries without the appropriate level of protection, the BCR establishes safeguards to optimize the protection of personal data.
- A BCR must always be approved by the European privacy regulator after which approval can be given by the European Data Protection Board. In the BCR, all aspects must comply with the European Privacy Law, called the GDPR rules or AVG.
- There may also be sporadic exchanges of personal data to third countries that are allowed to be exported under strict conditions and high exceptions.
Can we still receive data from the UK after brexit?
The UK government has confirmed that it will continue to allow the exchange of personal data with EU member states. Watch now
What role will the ICO or Information Commissioner’s Office have?
The ICO remains the independent oversight body with respect to UK data protection legislation.
During the transition period, the ICO will participate in the cooperation and consistency mechanism under the AVG and remain a lead supervisory authority.
The UK government will continue to work to maintain close working relationships between the ICO and EU supervisory authorities once the transition period is over.
Should a representative be appointed?
If you are located outside the UK and you do not have a branch, office or other establishment in the UK and you:
- Offer goods or services to individuals in the UK; or
- monitor the behavior of individuals in the UK,
then you must comply with the UK GDPR as of Jan. 1, 2021. The UK GDPR requires you to appoint a representative in the UK.
Your representative can be an individual, or a company or organization based in the UK, and must be able to represent you in relation to your obligations under the UK AVG (e.g. A law firm, consulting firm or private individual). In practice, the easiest way to appoint a representative is a simple service contract.
You must authorize the representative in writing to act on your behalf regarding your compliance with the AVG in the UK and to communicate with the ICO and with data subjects.