18th October 2019

---

In the last Brexit deal, which still has to be approved by the Commons, the EU and the UK have agreed that “the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met.” In other words this means that, at least, until the end of 2020, the UK will not be considered to offer sufficient safeguards on data protection for the data to be transferred there.

Thus, if for some reason or another your processing involves the transfer of personal data to the UK it will now not be a straightforward transfer as it was to date. According to GDPR, international transfers (transfers outside the EEA) may take place when there is an adequate level of protection to the fundamental right of individuals (data subjects) to data protection.

It’s all about showing to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.

Adequacy assessments may be carried out by those wishing to transfer data outside the EEA themselves, or by the European Commission. The Commission has determined that several countries ensure an adequate level of protection by reason of their domestic law or of the international commitments they have entered into. The Brexit agreement implies that the UK will not be considered to ensure an adequate level of protection.

In such circumstances data transfer may still occur but this has to be carried out under certain conditions:

• if the organisation wishing to transfer data outside the EEA can provide adequate safeguards, for example by adopting the Commission’s standard contractual clauses, or other binding safeguards authorised by the European Data Protection Supervisor (EDPS);

• the organisation wishing to transfer data outside the EEA can refer to one of the derogations listed in the Regulation provided that the transfer is not repeated, massive or structural, and no other legal framework can be used. Examples of derogations include, an individual giving her consent for her data to be transferred; if a transfer is necessary for the conclusion or performance of a contract; or for exercising defence in legal proceedings.

Which is your best option?

If your organisation is a small or medium sized business, then Standard Contractual Clauses are most of the time your best option. It is unlikely that you have a realistic alternative.

Public authorities receiving the data from another public authority, may still use the Standard Contractual Clauses if both authorities are able to enter into contracts. Albeit this, other options for transfers between public authorities exist. In the absence of the possibility of one or both public authorities can enter into a contract an administrative arrangement to ensure individuals rights and remedies may be sought.

If your organisation forms part of a multinational group of companies and data is being received from within that group, Standard Contractual Clauses may not be needed if the group you form part of has approved binding corporate rules and they are in place.

Standard Contractual Clauses

The European Commission has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA).

It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.

These European Commission approved clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity.

So…

If you transfer data to the UK you need to ensure that their transfer to the UK are LAWFUL. Disclaimer: This note if for guidance and information purposes only and does not impart legal advice.