• image
  • image
  • image
  • image
  • image

HARD BREXIT: COMPLIANCE REQUIREMENTS FOR PERSONAL DATA TRANSFER INTO THE UNITED KINGDOM TO BE APPLIED WITHIN MARCH 30, 2019

 

On February 12, 2019 the European Data Protection Board (“EDPB”) issued an Explanatory Note addressed to commercial entities and Public Authorities concerning data transfers, in accordance with the GDPR, in the event of a "no-deal Brexit".

With reference to personal data transfers from the EEA (European Economic Area) to the UK, in the absence of an "exit agreement" between the EU and the UK, the latter will become a "third country" pursuant to Sections 44 through 49 of the GDPR as of March 30, 2019. Therefore, the transfer of personal data from EEA territories to the UK -- in the absence of a EU "adequacy decision" -- must be based on one of the following instruments within March 30, 2019: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms, and "Derogations" adopted under certain conditions pursuant to Section 49 of the GDPR.

The EDPB has pointed out that commercial companies should prepare themselves for a "no-deal" scenario; so they should:

(i) Identify their personal data flows towards the UK;

(ii) Choose the appropriate data transfer instrument (see above) for personal data transfers to the UK;

(iii) Implement such instruments within March 30, 2019;

(iv) Provide for, in their internal data protection documents (e.g. the Records of Processing Activities and Data Protection Impact Assessment), personal data transfers to the UK;

(v) Update their Privacy Notice and Consent Form for such processing of personal data.

With respect to data transfers from the UK to the EEA, according to the UK Government, the current practice - allowing the free transfer of personal data from the UK to the EEA - will continue also in the event of a "no-deal Brexit".

Our firm’s legal team specialized in personal data protection rules is fully available to advise clients with respect to issues arising from GDPR compliance and data transfer; please send your queries through the "Contact" section of this website.