Unless the parties decide, before 1 July 2020, to extend the transitional period from 1 to 2 years, the whole of eu primary and secondary law will no longer apply in the United Kingdom from 1 January 2021. The transfer of personal data to the United Kingdom is then subject to the requirements of Chapter V of the RGPD and the Criminal Prosecution Directive. The European Commission has published a series of opinions outlining the consequences in a number of areas of action to prepare citizens and stakeholders for the UK`s withdrawal. The British government will allow further transfers to Gibraltar. Organisations are now advised to cooperate with their EU partners to ensure that personal data is transmitted in a consistent manner between the UK and the EU. At present, no changes have been made to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed appropriate by the EU. If this situation changes, we will update this page. Legacy data includes personal data of people outside the UK (whether in the EEA or not) processed in the UK, with respect to: if there is no appropriate adequacy decision and safeguards, but one of the exceptions provided by the EU`s RGPD applies, you can make restricted transmission. These exemptions will continue to be granted under the UK RGPD. However, after Brexit, EU organisations may be forced to ensure that their transfers to Britain are legitimate, which may not be as simple as they are today. However, the EU has not made similar changes with regard to transfers to the UK. After Brexit, the transfer of personal data from the EEA to the UK could be limited. This will have a significant impact on any organisation that regularly transfers personal data from the EU to the UK.
The aim is to show the EU that the UK is a safe place for data processing, so as not to impose restrictions on data transmission. The European Commission can assess the level of protection of personal data in third countries to determine whether it is about the same level as the EU. If a country “passes” the rigorous examinations, the Commission can make a decision on adequacy. As far as Brexit is concerned, this means that the UK could use SSCs if a data transfer agreement is not formalised as part of a negotiated exit. If a negotiated exit does not contain a provision for data transfers or if a non-agreement scenario is achieved and/or if the UK has to wait an indeterminate period before reaching a matching agreement, there is even more need for mechanisms such as SCCs. For international data transfers from the UK to other jurisdictions, please visit the ICO website. If the UK is effectively treated as a third country after Brexit and no BREXIT deal is put on the table, including an appropriate agreement on how to deal with data protection and hence data transfers, some EU-based companies may find themselves in a situation where they will not be able to trade with the UK. On its website, the ICO stated that if BCRs are designed far enough, they should be able to accommodate changes in the company structure and some variations in the types of data flows. It found that model contracts can also be used in place of a BCR to facilitate the flow of intra-business data between the EEA and a third country. 11 of the 12 third countries deemed appropriate by the EU have informed us at present that they will keep data with the UK from 2021.