FAQs about Brexit and data protection

Transfer from the UK to other countries, including to the EU, are subject to transfer rules under the UK regime after the end of the transition period. At this point of time, the UK transfer rules are very similar to the EU GDPR rules. Therefore, companies who are transferring data in accordance with the rules of the GDPR should the transition to the UK regime should be smooth.

There are also provisions which allow the continued use of any EU Standard Contractual Clauses (‘SCCs’) both for existing transfers and for new transfers to other countries. In addition, there UK data protection law includes provisions which allow certain Binding Corporate Rules (BCR) to transition into the UK regime.

However, for personal data transfers from the EU into the UK, the EU GDPR rules on third country data transfers will apply.

No, the UK GDPR is very similar to the EU GDPR. The key principles, rights and obligations remain the same.

The key difference is that there are implications for the rules on transfers of personal data between the UK and the EU. (Please see other FAQs for further explanation).

The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to

• offering goods or services to individuals in the UK; or
• monitoring individuals’ behaviour taking place in the UK.

There are also implications for UK controllers who have an establishment or customers in the EU or monitor individuals in the EU. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.

Although the UK GDPR and the EU GDPR are very similar, you still need to update your documentation etc. to reflect the introduction of the UK GDPR and the fact that the UK is now a third country.

For example, you need to review the following:

• Records of Processing Activity (ROPAs)
  • Update them to ensure that they include details of any transfers to the UK (as a third country), where applicable.
• Privacy notices / Data Protection Policies
  • Update the descriptions of ‘third countries’ to which you are transferring data.
  • References to ‘EU law’ or the ‘GDPR’ may also need to be amended.
• Personal data breach response plan:
  • Make sure it provides for the possible notification of the ICO, and
  • Your relevant lead EU DPA / all relevant EU DPAs in the event of a personal data breach.

The EU Commission has the power to determine whether a third country has an adequate level of data protection. The effect of such a decision is that cross-border personal data transfer from the EU to that country is possible without any further safeguard being necessary.

Currently there is no adequacy decision in place regarding the UK.

Ideally, the extended transition period will be replaced by an adequacy decision for the UK if the European Commission concludes that the UK can provide an adequate level of data protection. However, the EU will have to consider the implications of the Schrems II decision by the Court of Justice of the European Union (CJEU), which could be seen as an obstacle to an adequacy decision. As we cannot be sure that the EU will reach an adequacy decision, companies are well advised to consider alternative transfer mechanisms to safeguard against any interruption to the free flow of data after the end of the transition period.

Standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. SCCs are, in other words, a contract between your UK company and the EU company on approved EU-terms. If a data importer agrees to SCCs, they thereby commit themselves to be compliant with European data protection standards. The currently applicable SCCs thereby regulate the required level of data protection. However, SCCs must be concluded in addition to a Data Protection Agreement.

Once the transition periods ends, the UK may produce its own SCCs for data transfer outside the UK. In the meantime, UK controllers can continue to use the existing EU SCCs for transfers from the UK to other countries. You may also make changes to the EU SCCs so they make sense in a UK context (e.g. changing reference from EU or Member States to UK). However, you are not allowed to change the legal meaning of the SCCs.

Data transfers to the EU

The UK government has stated that transfers to the EU are not restricted. Therefore, if you send data from the UK to the EU you will still be able to do so without setting up any additional safeguards such as SCCs.

Data received from the EU

If no adequacy decision is reached by the end of the transmission period, SCCs will probably be the most reliable safeguard. However, the conclusion of SCCs does not always constitute an appropriate safeguard. EU controllers have to take supplementary measures along with SCCs to ensure that UK law does not impinge on the guaranteed level of adequate protection.

Data transfers to countries outside the EU

SCCs will probably be the most reliable safeguard. According to the ICO, the Schrems II decision will continue to apply if you transfer data to countries other than the EU using SCCs. The decision requires that companies must make an assessment as to whether those SCCs provide protection that is “essentially equivalent” to the protections in the UK data protection regime, and if necessary, put in place additional measures. It is expected that the ICO will soon provide its own guidance on the Schrems II decision. In the meantime, the EDPB has produced a series of FAQs that may prove helpful.

After the Schrems II judgement, the European Commission modernized the SCCs, including more information obligations of the processors for the controllers and data subjects. Entry into force of this new set of SCCs is expected in the next couple of weeks. With this modernized set of SCCs an additional DPA is not necessary anymore, as all requirements of Art. 28 GDPR are regulated within the new set. EU companies relying on the old set of SCCs are required to replace the old SCCs with the new set of SCCs.

BCRs are an appropriate solution for multinational groups to meet their legal obligations and ensure a proper level of protection of personal information when transferring data to a third country. BCRs are typically data protection policies that satisfy data protection standards and may be available as an alternative means of authorising transfers of personal data to third countries. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced throughout the organisation.

For multinational groups, BCRs can be a better option than SCCs as they can be tailored to fit the needs of the business. Once implemented and operational, BCRs are much easier to maintain compared to intra-group contracts incorporating the SCCs. If there is a complex web of processing activities, SCCs may not be fit the purpose.

Compared to this, SCCs work better for smaller companies with cross-border personal data transfers. SCCs work well for organisations that are likely to participate in two-way data sharing and in internal personal data transfers where the processing is straightforward. In addition, the BCR process is complex and time-consuming.

For Groups of companies operating in the UK and countries outside the EU

UK BCRs are required to be approved by the ICO. The BCRs must fulfil the conditions set out in the UK GDPR, specifically Article 47.

For groups of companies operating in the EU and third countries including the UK

EU BCRs are required to be approved by each EU Member State in which the organisation will rely on BCRs. Fortunately, the EU has developed a mutual recognition process under which BCRs approved by one member state’s data protection authority (the so-called lead authority) then cooperates with other relevant concerned supervisory authorities to facilitate the approval of BCRs in all relevant jurisdictions. The BCRs must fulfil the conditions set out in Article 47 GDPR.

How long will it take to process an application?

The application process is a lengthy regulatory process which can take months to complete. Usually it takes a minimum of 12 months to obtain approval from the authority.

From an UK perspective

• Approved by the ICO as the lead data protection authority: EU BCRs are automatically eligible for UK BCRS. However, the deadline for producing a UK version of BCRs was 1 January 2021.
• Approved by an EU lead data protection authority:
  • For EU BCRs being approved Pre-GDPR, EU BCRs are also automatically eligible for UK BCRS but additional steps will be required. Companies may create a standalone version of the BCR for the UK such that it adheres to the UK BCR Requirements Table. To use this option, companies must submit their UK BCRs before 30 June 2021.
  • For EU BCRs being approved Post-GDPR, these BCRs are not covered by the UK Data Protection Act 2018 (DPA). Therefore, these EU BCRs are not automatically eligible for UK BCRs. If you are a holder of these EU BCRs, you are well advised to contact the ICO as soon as possible to discuss the process and requirements of the ICO.

From an EU perspective

• Approved by the ICO as the lead data protection authority: Holders of such BCRs must identify an EU supervisory authority to act as their new lead authority for their EU BCRs and must have them transferred before the end of the transition period. If this is not done in time, the BCRs will no longer be valid under EU law. See the information note from the European Data Protection Board (EDBP).
• Applicants with the ICO as the lead authority: Current BCR applicants should identify a lead authority in the EU and provide all necessary information as to why this specific authority is being considered as the new BCR Lead.
• Approved by an EU lead data protection authority: BCR holders with a lead data protection authority within the EU can continue to transfer data to the UK after the end of the transition period.

Under Article 27 EU GDPR, an EU Representative must be appointed by UK-based controllers or processors with no offices, branches or other establishments in the EU that are processing the personal data of individuals in the EU by either

• offering goods or services to individuals in the EU; or
• monitoring the behaviour of individuals in the EU.

An EU representative

• serves as the point of contact for supervisory authorities and data subjects, and
• maintains your company’s record of processing activities and provides it to data protection authorities upon request.

A number of companies offer EU representative services. We offer EU representative services from our German offices. Our service is available to you as long as you process any amount of personal data of individuals in Germany. You can book your EU representative here.

The activeMind.legal law office in the UK provides support for UK companies facing data protection challenges. We will support you in meeting the requirements of UK data protection law which is also changing due to Brexit. In addition, we will assist you in complying with the GDPR in the future in order to continue to cooperate with EU companies.

Sponsoring visas for staff:

As the UK government has stated that the EU will be recognised as a country with an adequate level of data protection, the rules on transfer to third countries are not relevant here.

As long as travelling is necessary to fulfil the employment contract, personal data can be processed based on the contractual relationship with the employee. For this reason, data may also be transferred to authorities of EU Member States for the purpose of applying for a visa. However, as the visa application procedure may include the processing of personal data relating to criminal convictions and offences, you are well advised to receive explicit consent from your employee for processing this type of data.

Receiving information on EU visitors:

The legal basis for processing such data is Art. 6 (1)(c) UK GDPR, as the processing is necessary for compliance with a legal obligation to which the controller is subject.

The rules for storing data of job applicants in the data base remain the same. The legal basis is still Article 6(1)(b) UK GDPR or Article 6(1)(b) EU GDPR, as processing is required in order to take steps at the request of the data subject prior to entering into a contract.

After the transition period, you need to adjust the privacy policy regarding the third country data transfer. UK data subjects need to be informed that their data might be accessed by third countries situated in the EU. No additional information is necessary.

EU data subjects, however, must be informed that their personal data will be transferred to the UK. If the UK receives an adequacy decision from the EU Commission, it is enough to refer to the adequacy decision. If no such decision is received, you need to make reference to the appropriate or suitable safeguards and the means by which a copy of them can be obtained or where they have been made available.

Provided that the rules of the EU GDPR are followed, you should do the following:

• Update your records of processing activities for your clients stating that a third country data transfer to Germany takes place.
• Update your privacy policy for your clients regarding the third country transfer. As the UK government has announced that EU Member States are recognised as having an adequate data protection level, you need to consider any additional safeguards for the processing of data by the German company.

(Please bear in mind that even the German company’s mere access to the UK data constitutes “processing” according to the UK GDPR.)