ARTICLE
28 October 2019

Get Ready For Brexit: How Data Transfers Will Be Affected

EN
Elias Neocleous & Co LLC

Contributor

Elias Neocleous & Co LLC logo
Elias Neocleous & Co LLC is the largest law firm in Cyprus and a leading firm in the South-East Mediterranean region, with a network of offices across Cyprus (Limassol, Nicosia, Paphos), Belgium (Brussels), Czech Republic (Prague), Romania (Budapest) and Ukraine (Kiev). A dynamic team of lawyers and legal experts deliver strategic legal solutions to clients operating in key industries across Europe, Asia, the Middle East, India, USA, South America, and China. The firm is renowned for its expertise and jurisdictional knowledge across a broad spectrum of practice areas, spanning all major transactional and market disciplines, while also managing the largest and most challenging cross-border assignments. It is a premier practice of choice for leading Cypriot banks and financial institutions, preeminent foreign commercial and development banks, multinational corporations, global technology firms, international law firms, private equity funds, credit agencies, and asset managers.
Explore Firm Details
This article has been prepared to assist companies and individuals who are residing in the EU / EEA but are transferring personal data to the United Kingdom and shall continue to do so following the 31st of October 2019.
European Union Privacy
Photo of Stefanos Michailidis
Authors

This article has been prepared to assist companies and individuals who are residing in the EU / EEA but are transferring personal data to the United Kingdom (the "UK") and shall continue to do so following the 31st of October 2019. If as currently stated, the UK proceeds with its' scheduled withdrawal from the European Union on that date, without having reached an agreement with the EEA, then from 1st of November 2019 the UK will be designated as a "third country". This will inevitably have an adverse effect on the transfer of personal data to and from the EU / EEA.

Steps to be taken

Data transfer instruments

In order to be able to transfer personal data outside the EU / EEU, companies need to adhere to the principles laid down in Chapter V of the General Data Protection Regulation ("GDPR"). This stipulates that a transfer of personal data to a third country, or an international organization, may take place where the European Commission ("EC") has decided that the third country, a territory, or the international organisation in question ensures an adequate level of data protection ("adequacy decisions"). The EC has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. The EC does not plan to adopt adequacy decisions with regard to the UK at the point of its' exit from the EU. A no-deal Brexit would therefore mean that the UK is classified as a third country. Consequently, all transfers of personal data to the UK would require the implementation of appropriate safeguards under the GDPR.

More specifically, in the absence of an adequacy decision, where a transfer of personal data outside the EU/EEA is intended between a group of undertakings, or group of enterprises engaged in a joint economic activity, then such transfers should be regulated by binding corporate rules ("BCR"). In respect of any other transfer of personal data outside the EU/EEA , the company should enter into an agreement with its non-EU/EEA counterpart with the use of Standard Data Protection Clauses ("SDPC") approved by the European Commission, which are considered as appropriate safeguards for the purposes of the GDPR.

In the absence of an adequacy decision or of appropriate safeguards including BCR's or SDPC, transfers of personal data outside the EU/EEA can only be performed if certain conditions apply, including:

  • where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer;
  • where the transfer is necessary for the performance or the conclusion of a contract between the individual and the controller or, the contract is concluded in the interest of the individual;
  • if the data transfer is necessary for important reasons of public interest;
  • where the transfer is necessary for the establishment, exercise or defense of legal claims;
  • if the data transfer is necessary for the purposes of compelling legitimate interests of the organisation.

How we can help

If your company is involved in transferring of personal data from the EU / EEA to the UK, then legal advice should be sought in relation to the applicability and effects of the GDPR following Brexit. Elias Neocleous & Co LLC is a world-class law firm, which strives to help clients to identify and achieve their goals and to protect their interests, by providing prompt and professional advice of consistently outstanding quality. Our data protection team is a multidisciplinary team with thorough experience in areas such as Information Security Services, e-commerce and Privacy Law. This expertise enables it to advise and assist our clients on all aspects of the GDPR and data protection laws. We invite you to download our General Data Protection Regulation brochure available here. Alternatively, you can reach out to your usual contact at Elias Neocleous & Co. LLC for additional information and for any other enquiry you may have.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Stefanos Michailidis
Stefanos Michailidis
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More