Which personal data transfer mechanisms can you use?

Author info

In case of a no-deal Brexit, the UK will become a third country within the meaning of the GDPR. This would mean that, as of the withdrawal date, any transfer of personal data to the UK would have to be based on one of the transfer mechanisms listed in Chapter V of the GDPR. In essence, these transfer mechanisms ensure that the protection offered by the GDPR to a natural person with regard to his/her personal data travels with the data when it leaves the EEA territory.

These are the transfer mechanisms that you can use for a transfer of personal data from the EEA to the UK:

3.1. Adequacy finding

An adequacy finding is a decision of the European Commission in which it decides that a non-EEA country ensures an adequate level of protection to personal data. If an adequacy finding exists for such a country, the transfer of personal data from the EEA to that country will not require any specific authorisation. 

At the moment, there is no adequacy decision in place for the UK, since the UK is still part of the EU. As such, this transfer mechanism can only be used if, at the time of the Brexit, an adequacy decision for the UK exists. 

3.2. Standard contractual clauses 

A second transfer mechanism are the so-called standard contractual clauses adopted by the Commission or adopted by the supervisory authority and approved by the Commission. These are ‘model contract clauses’ that should in their entirety be incorporated into a contract between the data exporter (based in the EEA) and the data importer (based outside the EEA, e.g. UK), before the transfer can be performed in a lawful way. The clauses contain contractual obligations for the data exporter and the data importer and rights for the individuals whose personal data is transferred.

As it stands, the European Commission has only approved standard contractual clauses for the following relationships:  

  • EEA controller to non-EEA (e.g. UK) controller 
  • EEA controller to non-EEA (e.g. UK) processor 

If you want to know where to find these standard contractual clauses, check out 4.1. Standard Contractual clauses seem to be the only possibility

Please note that standard data protection clauses may not be modified an have to be signed in the way provided by the European Commission. They may however be included in a wider contract that includes other (possibly data protection related) clauses.

3.3. Ad-hoc data protection clauses

Ad-hoc data protection clauses are data protection clauses incorporated in a contract between the data exporter (e.g. EEA undertaking) and the data importer (e.g. UK undertaking) that have been individually authorised by the supervisory authority of the country from which the data are exported. 

Please note that, if the model contractual clauses mentioned above are modified by the contracting parties, they will be considered as ad-hoc data protection clauses that require authorisation by the competent national supervisory authority.       

3.4. Binding corporate rules

Binding corporate rules (BCRs) are personal data protection policies that serve as internal rules for data transfers within multinational companies. Binding corporate rules have to be authorised by the competent supervisory authority(ies) before any transfer can be performed lawfully.      

3.5. Codes of Conduct and certification mechanisms

Codes of conduct or certification mechanisms can offer appropriate safeguards for a transfer of personal data if they contain binding and enforceable commitments by the organisation in the third country (e.g. the UK) for the benefit of the individuals. However, currently no approved codes of conduct or certification mechanisms are yet in use.        

3.6. Derogations 

If no adequacy decision or appropriate safeguards as mentioned above are put in place, a transfer of personal data to a non-EEA country can take place only if one of the derogations for specific situations listed in Article 49 of the GDPR applies. These situations are:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks thereof in absence of adequacy decision or appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;  
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect thevital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down.

If the transfer cannot be based on one of the derogations set out above, a transfer may take place only if it is non-repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller that are not overridden by the data subject and the controller has provided suitable safeguards with regard to the protection of personal data.

Please note that several transfer mechanisms exist for transfers of personal data from EEA public authorities or bodies to non-EEA countries or international organisations.

Do you want to know more about how to implement these transfer mechanisms in practice? Check out 4. How to implement a personal data transfer mechanism?

Related

This article is part 3 of a serie of 6 articles about Brexit:

  1. Do I have to take into account the GDPR after Brexit?
  2. How to identify whether your processing activities are impacted by Brexit?
  3. Which personal data transfer mechanisms can you use?
  4. How to implement a personal data transfer mechanism?
  5. How to update your privacy policy and internal documents?
  6. Which supervisory authority is competent after Brexit?