Impact of Brexit on personal data flows
On 31 December 2020, the transition period that started on 31 January 2020 came to an end. During this transition period, the United Kingdom (the ‘UK’) and the European Union (the “EU”) have negotiated a new deal regarding the future relationship between these parties: the 'EU-UK Trade and Cooperation Agreement’ (hereinafter ‘the Trade Agreement’). The Trade Agreement will apply on a provisional basis until 28 February 2021, and will then be voted by the European Parliament.
What does this actually mean for personal data flows?
As regards personal data flows, the Trade Agreement provides for a new grace period of up to six months (4 months with option for 2-months extension) from 1 January 2021 until 1 July 2021 at the latest, in order to enable the European Commission (hereinafter ‘EC’) to assess the adoption of a so-called Adequacy decision on the UK (hereinafter 'the Transition Period').
An Adequacy decision is an official statement by the EC which recognises that the UK offers an adequate level of data protection. In practice, this decision means that data transfers to the UK will be able to take place without any further safeguard being necessary.
As a result, the Trade Agreement states that transfers of personal data between the EU and the UK will remain valid during the Transition Period without further restrictions.
However, if no adequacy decision has been taken before the end of the Transition Period, the UK will be qualified as a ‘third country’ under the GDPR, which means that Belgian companies and/or other entities will need to take one of the following measures:
- The implementation of standard contractual clauses as adopted by the European Commission or a supervisory authority (Article 46 of the GDPR)
- The implementation of contractual clauses between the parties after authorisation of these clauses by the supervisory authority, also called the ad hoc clauses (Article 46(3) of the GDPR
- The adherence to an approved code of conduct (Article 40 GDPR)
- The adherence to approved binding corporate rules (article 47 of the GDPR).
Moreover, your European company and/or other entities shall make an assessment of all circumstances with regard to the data transfer and take appropriate measures. For instance implementing additional technical measures, reviewing privacy related documents (data register, policies, contracts, etc.) and informing the data subjects accordingly.
What about personal data received from the UK?
If you are just receiving personal data from the UK but not transferring personal data to this territory, the Trade Agreement has no consequences in this regard from a EU perspective.
What about companies established in the UK which are offering goods and services to data subjects in the EU or monitoring their behaviour ?
As a result of the Trade Agreement, the 'one-stop-shop' mechanism ceases to apply, meaning that companies established solely in the UK whose processing activities are subject to the application of the GDPR will need to comply with this legislation and will be required from 1 January 2021 to designate a representative in the EU.
What are the consequences if one of my branches and/or subsidiaries is located in the UK?
As stated above, the GDPR will still apply in the UK for a Transition Period of up to six months from 1 January 2021. After the Transition Period, the GDPR as such will no longer apply but as known so far a new so-called ‘UK GDPR’, which enacts the EU GDPR’s requirements in UK law will take effect, along with an amended version of the UK Data Protection Act 2018 (DPA) which merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.
In the event of an Adequacy decision, transfers of personal data to your UK branch and/or subsidiary will continue without further restrictions.
In the absence of an Adequacy decision, data transfers between your EU based company and your UK based branch and/or subsidiary must be covered by appropriate safeguards as set out above.
Finally, as branches and subsidiaries in the UK shall still need to comply with the GDPR and, among others, you should appoint a representative in the EEA if you are offering goods or services to individuals in the EEA or monitoring the behaviour of these individuals.