This article concentrates on the personal data flow between the UK and the EEA (European Economic Area) from 1st January 2021 onwards and which we hope helps small to medium-sized UK businesses. For clarity – the EEA is the EU (European Union) plus Iceland, Norway, and Liechtenstein.
The UK left the EU on 31 January 2020 and entered the transition period which ended on 31 December 2020.
The UK Government has applied for an ‘adequacy decision’ from the European Commission. This will result in the Commission acknowledging that the UK’s data protection regime is robust and good enough to rely on for its member states to trade. Once granted, the data flow between the UK and the EEA will be substantially similar to when we were in the EEA.
Until that time however, transfers from the European Economic Area to the UK will need to comply with EU GDPR transfer restrictions. There are changes to how to receive personal data from the EU and you may need to take action to remain compliant. Having said that, there is a 4 month grace period for the 'adequacy decision' to be considered and during that time, data can flow as before. We'll update you again when concluded.
The UK is clearly intent on maintaining the high standards of the GDPR and the government has incorporated it into UK law as the UK GDPR alongside the Data Protection Act 2018. UK businesses are obviously subject to that Act.
It is vital to track your data and understand whether or not your data is sent to, received from, or held by any contact in the EEA. Overseas data processed prior to 1st January 2021 is called ‘Legacy Data’ and was obviously subject to the GDPR (known as ‘Frozen GDPR’).
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to be data protection compliant.
The UK government has stated that transfers to the EEA are not restricted. So, if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
However, if you are a UK business or organisation that receives personal data from contacts in the EEA, you will need to take extra steps to ensure that the data can continue to flow now the Brexit transition period has ended. If a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws, and the action you take will ensure that the data can continue to flow.
Your trading contracts or data processing agreements need to be amended (by inserting "Standard Contractual Clauses") known as SCC's. These are clauses which are recognised and acceptable to both the UK and the EEA and will permit the flow of data in such circumstances.
You can cherry pick the clauses you want and insert them into any contract or amendment.
Alternatively, simply contact us and we can help you make the relevant legal amendments to your pre-existing contracts.
You can follow this link to the Information Commissioner’s Office for templates of relevant clauses - ICO SCC help.
If you are a UK business or organisation with an office, branch, or other established presence actually in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations from 1st January 2021. You may need to designate a representative in the EEA so it would be advisable to seek specialist advice.
If you are affected by the changes, you will need to review and maybe amend your data privacy documentation - Something we can easily help you audit and correct as needed.
We hope you enjoy our short informative blogs. We are all about empowering the individual to take better ownership and control of the legal aspects of their personal and business life. We have a plethora of legal document templates that are quick and easy to explore and create. What's more, creation and editing is free. Explore our templates here
Can't find what you are after?