Brexit and personal data flows

Brexit and personal data flows 

Krzysztof Grabowski, Data Protection Officer
4/12/2021
Brexit and personal data flows
The UK is no longer bound by EU legislation, including the General Data Protection Regulation (GDPR), as a result of Brexit. However, at present, the free flow of personal data between the parties has been maintained until 1 July 2021 under UK-EU bridging clauses. How will the situation develop once the transition period ends?

The most likely scenario is that from mid-2021, the provisions of Article 45 of the GDPR will apply to the flow of personal data between the UK and EU countries. This means that the European Authority Commission will have to determine an adequate level of protection and thus allow data transfers without tax formalities.

The United Kingdom General Data Protection Regulation is modelled on its European counterpart and includes extensions on matters of national security, intelligence services and immigration. Therefore, there is no reason to question the claim that they provide an equivalent level of security for individuals' data as in EU countries.

Personal data - what action should be taken for Brexit?

The key issue is to identify the controller's relationship in relation to the flow of personal data. We distinguish two key relationships:

  • UK based companies offering or monitoring EEA natural persons
  • EEA companies transferring data to the UK

Companies processing data of EEA persons must appoint a data protection representative who will also be based in the EEA and will be the contact for those persons. Contact details for the representative should be included in the information clause.

The issue of data transfers by Administrators to the UK appears to be a more complex issue as it requires an update of information on transfers of personal data. The first step is to identify all processes in which the transfer occurs. This should be followed by an update of the legal basis for the register of categories of processing activities and changes to the information obligations by adding information on transfers to non-EU countries. 

Personal data protection

Contact our expert

Krzysztof Grabowski
Krzysztof Grabowski
Data Protection Officer
Crowe