This article has been prepared to assist companies and individuals who are residing in the EU / EEA but are transferring personal data to the United Kingdom (the "UK") and shall continue to do so following the 31st of October 2019. If as currently stated, the UK proceeds with its' scheduled withdrawal from the European Union on that date, without having reached an agreement with the EEA, then from 1st of November 2019 the UK will be designated as a "third country". This will inevitably have an adverse effect on the transfer of personal data to and from the EU / EEA.
Steps to be taken
Data transfer instruments
In order to be able to transfer personal data outside the EU / EEU, companies need to adhere to the principles laid down in Chapter V of the General Data Protection Regulation ("GDPR"). This stipulates that a transfer of personal data to a third country, or an international organization, may take place where the European Commission ("EC") has decided that the third country, a territory, or the international organisation in question ensures an adequate level of data protection ("adequacy decisions"). The EC has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. The EC does not plan to adopt adequacy decisions with regard to the UK at the point of its' exit from the EU. A no-deal Brexit would therefore mean that the UK is classified as a third country. Consequently, all transfers of personal data to the UK would require the implementation of appropriate safeguards under the GDPR.
More specifically, in the absence of an adequacy decision, where a transfer of personal data outside the EU/EEA is intended between a group of undertakings, or group of enterprises engaged in a joint economic activity, then such transfers should be regulated by binding corporate rules ("BCR"). In respect of any other transfer of personal data outside the EU/EEA , the company should enter into an agreement with its non-EU/EEA counterpart with the use of Standard Data Protection Clauses ("SDPC") approved by the European Commission, which are considered as appropriate safeguards for the purposes of the GDPR.
In the absence of an adequacy decision or of appropriate safeguards including BCR's or SDPC, transfers of personal data outside the EU/EEA can only be performed if certain conditions apply, including:
- where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer;
- where the transfer is necessary for the performance or the conclusion of a contract between the individual and the controller or, the contract is concluded in the interest of the individual;
- if the data transfer is necessary for important reasons of public interest;
- where the transfer is necessary for the establishment, exercise or defense of legal claims;
- if the data transfer is necessary for the purposes of compelling legitimate interests of the organisation.
How we can help
If your company is involved in transferring of personal data from the EU / EEA to the UK, then legal advice should be sought in relation to the applicability and effects of the GDPR following Brexit. Elias Neocleous & Co LLC is a world-class law firm, which strives to help clients to identify and achieve their goals and to protect their interests, by providing prompt and professional advice of consistently outstanding quality. Our data protection team is a multidisciplinary team with thorough experience in areas such as Information Security Services, e-commerce and Privacy Law. This expertise enables it to advise and assist our clients on all aspects of the GDPR and data protection laws. We invite you to download our General Data Protection Regulation brochure available here. Alternatively, you can reach out to your usual contact at Elias Neocleous & Co. LLC for additional information and for any other enquiry you may have.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.