In case of a no-deal Brexit, the UK will become a third country within the meaning of the GDPR. This would mean that, as of the withdrawal date, any transfer of personal data to the UK would have to be based on one of the transfer mechanisms listed in Chapter V of the GDPR. In essence, these transfer mechanisms ensure that the protection offered by the GDPR to a natural person with regard to his/her personal data travels with the data when it leaves the EEA territory.
These are the transfer mechanisms that you can use for a transfer of personal data from the EEA to the UK:
An adequacy finding is a decision of the European Commission in which it decides that a non-EEA country ensures an adequate level of protection to personal data. If an adequacy finding exists for such a country, the transfer of personal data from the EEA to that country will not require any specific authorisation.
At the moment, there is no adequacy decision in place for the UK, since the UK is still part of the EU. As such, this transfer mechanism can only be used if, at the time of the Brexit, an adequacy decision for the UK exists.
A second transfer mechanism are the so-called standard contractual clauses adopted by the Commission or adopted by the supervisory authority and approved by the Commission. These are ‘model contract clauses’ that should in their entirety be incorporated into a contract between the data exporter (based in the EEA) and the data importer (based outside the EEA, e.g. UK), before the transfer can be performed in a lawful way. The clauses contain contractual obligations for the data exporter and the data importer and rights for the individuals whose personal data is transferred.
As it stands, the European Commission has only approved standard contractual clauses for the following relationships:
If you want to know where to find these standard contractual clauses, check out 4.1. Standard Contractual clauses seem to be the only possibility
Please note that standard data protection clauses may not be modified an have to be signed in the way provided by the European Commission. They may however be included in a wider contract that includes other (possibly data protection related) clauses.
Ad-hoc data protection clauses are data protection clauses incorporated in a contract between the data exporter (e.g. EEA undertaking) and the data importer (e.g. UK undertaking) that have been individually authorised by the supervisory authority of the country from which the data are exported.
Please note that, if the model contractual clauses mentioned above are modified by the contracting parties, they will be considered as ad-hoc data protection clauses that require authorisation by the competent national supervisory authority.
Binding corporate rules (BCRs) are personal data protection policies that serve as internal rules for data transfers within multinational companies. Binding corporate rules have to be authorised by the competent supervisory authority(ies) before any transfer can be performed lawfully.
Codes of conduct or certification mechanisms can offer appropriate safeguards for a transfer of personal data if they contain binding and enforceable commitments by the organisation in the third country (e.g. the UK) for the benefit of the individuals. However, currently no approved codes of conduct or certification mechanisms are yet in use.
If no adequacy decision or appropriate safeguards as mentioned above are put in place, a transfer of personal data to a non-EEA country can take place only if one of the derogations for specific situations listed in Article 49 of the GDPR applies. These situations are:
If the transfer cannot be based on one of the derogations set out above, a transfer may take place only if it is non-repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller that are not overridden by the data subject and the controller has provided suitable safeguards with regard to the protection of personal data.
Please note that several transfer mechanisms exist for transfers of personal data from EEA public authorities or bodies to non-EEA countries or international organisations.
Do you want to know more about how to implement these transfer mechanisms in practice? Check out 4. How to implement a personal data transfer mechanism?
This article is part 3 of a serie of 6 articles about Brexit: