January - 2021

Consequences of Brexit on data protection

Regime of data transfers to the United Kingdom

As part of the Trade and Cooperation Agreement concluded on 24 December 2020, the United Kingdom and the European Union have agreed that the General Data Protection Regulation (GDPR) will continue to apply in the United Kingdom on a transitional basis for a maximum additional period of 6 months, until 1 July 2021.

During the transition period, sending personal data to the United Kingdom will not be considered as a transfer of data to a third country, so transfers of personal data to the United Kingdom may therefore continue without further formality.

As stated by the French data protection authority (CNIL) in its press release of 28 December 2020, at the end of this six-month transition period and in the absence of an adequacy decision by the European Commission, any transfer of personal data to the United Kingdom will be considered as a transfer outside the European Union. Such transfers will then only be possible on condition that the data exporter has first implemented appropriate safeguards provided for in the GDPR (i.e. standard data protection clauses, binding corporate rules, codes of conduct), and provided that European citizens have enforceable data subject rights and effective legal remedies for data subjects are available, in accordance with Article 46 of the GDPR.

However, as the GDPR provisions were transposed into English law by the Data Protection Act 2018, it is likely that the European Commission will adopt an adequacy decision for the United Kingdom before the end of the transition period.

Furthermore, and in any case, when data are transferred to the United Kingdom, European data controllers and/or processors will have to update their records of processing activities and their privacy policies before the end of the transition period, in order to identify transfers to the United Kingdom.

End of the « One-Stop-Shop » mechanism as of 1 January 2021

From 1 January 2021, data controllers and processors who are established solely in the United Kingdom and who process personal data of data subjects who are in the Union will cease to benefit from the “One-Stop-Shop” mechanism. Only data controllers and/or processors with a main establishment within the European Economic Area (EEA) will continue to benefit from it.

Thus, data controllers and processors only based in the United Kingdom but nevertheless subject to the GDPR as a result of their processing activities, will be required to designate a representative in one of the EU countries.

This representative will be the point of contact of the supervisory authorities and data subjects for any issues related to processing activities in order to ensure compliance with the GDPR.

Juris Initiative, Anne-Solène Gay, Behring, données personnelles, RGPD, Brexit, transferts de données, pays tiers