Update on Brexit and GDPR
The Trade and Cooperation Agreement concluded between the European Union and the United Kingdom on December 24th, 2020 provides that the General Data Protection Regulation ("GDPR") will remain applicable in the United Kingdom for a transitional period of up to 6 months i.e. until July 1st, 2021.
However, the agreement provides that the "one-stop-shop" mechanism will no longer apply in the United Kingdom from January 1st, 2021.
Implications for data transfers to the UK
Until July 1st, 2021, data transfers from the EU/EEA to the UK remain subject to the GDPR current legal framework. No formalities are therefore necessary to carry out such transfers during the transitional period.
Beyond this date, these transfers will nevertheless be considered as transfers to a "third" country outside the EU/EEA (Art. 44 et seq. GDPR). These transfers will therefore have to be subject to appropriate safeguards set by the GDPR, such as standard contractual clauses ("STCs") or Binding Corporate Rules ("BCRs"), unless the European Commission finds that the UK ensures an adequate level of protection by adopting an adequacy decision before that date.
The UK Data Protection Authority ("Information Commissioner's Office" or "ICO") recommends that entities receiving personal data from the EU/EEA implement these appropriate safeguards before the end of April 2021.
The same applies to any entity transferring personal data from the EU/EEA to the UK, in order to anticipate the end of this transitional period.
Implications for controllers and processors established in the UK
The "one-stop-shop" mechanism is no longer applicable in the UK since January 1st, 2021. This mechanism allowed entities established in several EU/EEA Member States and implementing cross-border processing to have a single interlocutor for all their processing activities throughout the European territory, namely the "lead supervisory authority" (art. 56 GDPR). The ICO can therefore no longer be considered as a lead supervisory authority.
Since January 1st, 2021, data controllers and processors established solely in the UK and carrying out processing activities subject to the GDPR shall designate a representative in the EU in writing, provided that the processing is not occasional (art. 27 GDPR). The representative in the EU may be an external service provider such as a law firm located in the EU. It must be mandated to be the person to whom, in particular, supervisory authorities and data subjects must address themselves, in addition to or instead of the controller or processor, on all issues related to processing, for the purposes of ensuring compliance with the GDPR. The EU representative must also have access to the record of processing activities under the responsibility of the controller or processor and make it available to the supervisory authority upon request (Art. 30 GDPR). According to the European Data Protection Board (EDPB), the function of EU representative is, however, incompatible with the function of Data Protection Officer or "DPO" (EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 2019).
Brexit therefore has implications both for data controllers and processors located in the UK when the GDPR applies to their processing activities, and for those located in the EU/EEA when they transfer data to the UK. Companies must assess their current practices, in order to, when relevant, appoint a representative in the EU, identify a lead supervisory authority, review their transfer agreements as well as their policies and procedures in the light of any changes.