Guidance Note on Brexit and Data Protection

1. Transfers of personal data from EEA countries to the UK

You will need to put in place GDPR safeguards for such transfers. You will also need to update your privacy policy and documentation with your chosen GDPR safeguard. You should discuss your chosen GDPR safeguards with your clients. The only realistic solution to allow transfers of personal data from the EEA to the UK post-Brexit is Standard Contractual Clauses. You may not have time to put in place other solutions such as Binding Corporate Rules before the date the UK becomes a third country for data protection purposes whether that be 29 March 2019, June 2019 or December 2020.

Standard Contractual Clauses

The European Commission has issued two versions of the clauses

1) Data Controller to Data Controller

2) Data Controller to Data Processor

Please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

You cannot amend the main body of the Standard Contractual Clauses but you have to complete the annexes; Annex a – data processing principles, Annex B -description of the transfer and optional illustrative commercial clauses. If you do not want to use the optional illustrative commercial clauses you should delete these. You should familiarise yourself with Standard Contractual Clauses before using them so you can deal with any queries which the other party to them may ask you.

Binding Corporate Rules (BCR)

These are a way of transferring personal data on an intra-group basis but they need to be approved by a national data protection authority. If you have already got Binding Corporate Rules approved for transfers currently from the EEA (including the UK) to third countries then you may be able to use them post-Brexit. However, you will need to tweak them slightly as post-Brexit any group companies within the UK will need to sign up to Binding Corporate Rules from the perspective of organisations outside the EEA whereas pre – Brexit they will be organisations inside the EEA. Also if the UK Information Commissioner’s Office is currently your lead authority for Binding Corporate Rules, post Brexit you will have to find another national data protection authority from a then current EEA member to act as your lead authority for Binding Corporate Rules.

Adequacy Status

The European Commission will not start considering whether the UK provides an adequate level of data protection until after the date the UK becomes a third country for data protection purposes The hope is that the UK will eventually be granted adequacy status but this is not certain and we have no idea of the length of time the review of UK data protection legislation will take.

Codes of Conduct

The UK DMA is working with its European trade association, FEDMA, to develop a European Direct Marketing Code of Conduct. Once the Code has been approved by the European Data Protection Board (made up of representatives from the national data protection authorities of EU Member States, and the European Commission), there is the possibility that the Code could be used as a method of providing GDPR safeguards for transfers of personal data to third countries outside the EEA, including the UK... However, we have no idea how long the approval process will take.

If your organisation is a member of other trade associations it may be worth finding out whether that other trade association is looking at codes of conduct as well.

2. Brexit and transfers of personal data from the UK to other countries

UK to EEA Countries

The UK will transitionally recognise all European Economic Area (EEA) countries (EU 27 Member States plus Iceland Lichtenstein and Norway) as adequate under UK law. This means nothing will change in practice in respect of transfers from the UK to the EEA However, as we have seen above there will be major changes with regards to transfers of personal data from the EEA to the UK.

UK to non-EEA Countries.

Countries with an existing EU Adequacy Decision

The UK will recognise all existing EU Adequacy Decisions in respect of the following countries Andorra, Argentina, Faroe Islands Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. This means the UK will be able to send personal data freely to these countries.

The UK Government is still considering its position on the recent EU Adequacy Decision in respect of Japan

USA

The UK will recognise the existing EU Privacy Shield Adequacy Decision in respect of US organisations who have signed up to Privacy Shield. US organisations who have signed up to Privacy Shield and want to continue to receive personal data from the UK must prior to the date the UK becomes a third country for data protection purposes (see above for the possible options) update any language stating their commitment to comply with the Privacy Shield to include a positive statement that their commitment under the Privacy Shield will include any personal data received from the UK.

Canada

The UK will recognise existing EU adequacy decision in respect of transfers to Canada which are covered by Canadian Personal Information Protection and Electronic Documents Act.

Countries without an existing EU adequacy decision (i.e. all other countries not listed in the above section)

The UK will recognise the EU Commission approved Standard Contractual Clauses and Binding Corporate Rules approved prior to the date the UK becomes a third country for data protection purposes.