open search
Internationales Arbeitsrecht United Kingdom

UK: No deal #Brexit and data protection

Print Friendly, PDF & Email

This article discusses the impact of a no deal Brexit on data protection issues for businesses transferring data to or from the UK and how they should prepare for this possibility. With the Brexit D-day of 29 March looming, organisations have asked us to help prepare a Brexit Data Response Plan in case of a potential no deal Brexit. Building on the UK Information Commissioner’s Office (ICO); and Department for Digital, Culture Media & Sport (DCMS) Guidance Notes, we provide below some data protection considerations and sensible actions to take to ensure that your organisation’s data governance is ready.

What will not change?

General Data Protection Regulation 2016/679 (GDPR): Businesses should continue to maintain compliance with GDPR standards, as GDPR will still be applicable through the UK.

Both Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and Network and Information Systems Regulations 2018 (NIS) will continue to apply.

Data transfers from the UK to the EEA
The UK will still recognise transitionally all EU and EEA countries and Gibraltar as ‘adequate’, all EU adequacy decisions in relation to third countries, and the EU model clauses (SCCs), as providing ‘adequate’ protection for data flows out of the UK.

Data transfers from the UK to the US
The UK will still recognise the EU-US Privacy Shield, provided that US organisations comply with new guidance set out on the US Government’s Privacy Shield website, which requires amending public commitments applicable to transfers of personal data from the UK.

Binding Corporate Rules for data transfers (BCRs) 
There is continued recognition by the ICO of BCRs that have been authorised before Brexit.

What will change?

Data transfers from the EEA to the UK
The UK will be considered a ‘third country’ by the EU and no ‘adequacy’ decision by the EU Commission will apply. Data transfers from the EU to the UK will need to be subject to the same ‘appropriate safeguards’ (e.g. the use of SCCs) that apply to other third countries.

Appointing an EU or a UK representative
Controllers or processors based outside or inside the EEA may need to appoint a representative in the UK if they offer goods or services to, or monitor the behaviour of, UK individuals. Equally, any UK-based controller or processor without a presence in the EEA, targeting EEA individuals, may need to appoint an EU representative.

Binding Corporate Rules (BCRs) for data transfer
Existing BCRs certified by the ICO may not be recognised by the EU supervisory authorities, affecting data transfers from the EEA to the UK.

One-Stop Shop and Lead Supervisory Authority (LSA)
The ICO can no longer act as a LSA. UK-only based organisations, or those only present in the UK plus one EU country, may no longer have access to the one-stop-shop mechanism.

Organisational awareness
Company boards need to empower the legal team, the compliance team and/or DPOs to ensure that plans and budgets are allocated to the Brexit Data Response Plan.

Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge United Kingdom

EU immigration to the UK after Brexit: what you need to know about EU Settlement Scheme deadlines

The main post-Brexit EU Settlement Scheme (EUSS) deadline is looming on 30 June 2021, however there are other deadlines and considerations that applicants and their employers in the UK may not be aware of. In this article we highlight a selection of issues that relate to the main deadline, or that will start to have practical implications after 30 June 2021. Main EU Settlement Scheme…
Internationales Arbeitsrecht Internationales Arbeitsrecht2 Neueste Beiträge

Der „Brexit“ ist vollzogen: Was deutsche Arbeitgeber und UK-Arbeitnehmer nun beachten sollten

Nach langwierigen Verhandlungen um einen Brexit-Deal ist das Vereinigte Königreich mit Ablauf des 31. Januar 2020 aus der Europäischen Union ausgetreten. In unserer Blogbeiträgen vom 21. Februar 2020 und vom 28. November 2019 haben wir bereits über mögliche Konsequenzen des Brexit für Arbeitgeber und über den Aufenthalt und Arbeitsmarktzugang von UK-Staatsbürgern in Deutschland berichtet. Seit dem 1. Januar 2021 ist nun auch die sog. Übergangsphase,…
Belgium Internationales Arbeitsrecht Neueste Beiträge

How to deal with ex-employees’ email accounts: the Belgian DPA strengthens its position

The Belgian DPA has recently fined a company for delaying the closure of ex-employees’ email accounts. The Belgian Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed email addresses linked to employees (surname and first name) who had left the company after 2.5 years. According to the DPA, non-closure of these email addresses constitutes…
Abonnieren Sie den KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert