Brexit and the processing of personal data under the GDPR: what do you need to know?

Brexit and the processing of personal data: what changes?

Recently, the much-discussed Brexit deal was closed. The Brexit also has an impact on the processing of personal data. In the United Kingdom ("UK"), the General Data Protection Regulation (“GDPR; in Dutch: "AVG") will no longer be the applicable regulation as of 1 January 2021. Do you also exchange personal data with parties in the UK or do you use, for example, processors (such as your software suppliers) vested in or using servers in the UK? Do you otherwise co-operate with parties in the UK? If so, what will you need to consider in 2021?

*This blog is mainly written from the point of view of parties established in the EU (actually: EEA).

Transitional period and beyond

First of all, there will be a transitional period of 4 months (until May 2021), which may be extended once by two months. During this period, you will be able to exchange data with the UK as before, i.e. without Brexit-related measures. It should be noted that if the UK were to change its regulations in this area in the meantime, this ‘transition period’ would no longer apply.

After this transition period, you will be required to treat the processing of personal data by parties in the UK in the same way as processing by parties in other countries outside the European Economic Area (EEA), such as the United States. Due to the fairly recent ruling of the European Court of Justice in the Schrems II case, which, among other things, declared the Privacy Shield invalid, our privacy team is often asked whether data can still be exchanged between parties located in the EEA and parties vested outside the EEA. The answer is: that differs from case to case and this has not yet fully crystallized. In any case, this processing always needs to be looked at more closely and we are happy to help with that. Without going into all the details of such assessment right now, we will give you a number of points of attention and tips to prepare for the possible scenarios that may occur.  

The end of the transition period means, among other things, the following:

1. Additional measures are needed to ensure an adequate level of protection of personal data, such as SCCs (Standard Contractual Clauses; Article 46 GDPR). However, if a so-called adequacy decision of the European Commission follows for the UK, the level of protection is considered to be adequate in the UK and therefore the conditions for transfers outside the EEA are already met, which makes it unlikely to expect much changes in this respect. Nevertheless, points (b) and (c) below and subsequent tips still apply. 
   • In the absence of an adequacy decision, SCCs alone are not sufficient. More research into the level of protection in the UK (and possibly additional measures) is (are) than required. Please contact us for more information about these types of international data processing activities. The GDPR does offer certain exceptions, but these must be applied restrictively (and often temporarily). Also in case an exception as mentioned can be invoked, an analysis of the actual data processing is required, which should be recorded, as well as the adoption of appropriate measures (or sometimes: cessation of processing).
   • Receipt of personal data from the UK is permitted. However, the European recipient must of course comply with all the requirements of the GDPR with regard to the processing which then takes place under its control. Good contractual arrangements with the party in the UK should be made, in view of the obligations and liability this entails.
2. Your Data Processing Register and Privacy Statement will need to be updated to indicate, for example, which processing operations are being transferred to the UK and what security measures have been put in place in relation herewith.
3. Data subjects (whose data is being processed) must be informed of various matters under the GDPR, such as what their personal data will be used for and by whom. But also, for example, about what their rights are and how they can exercise them.
4. If you have made use of the One-Stop-Shop principle, whereby a single authority in the EEA is competent for processing of personal data by more than one party within the EEA, you can no longer do so where this concerned the United Kingdom and its Data Protection Supervisor (ICO). However, in order to benefit from this, another main establishment in the EEA may be established or designated (subject to the necessary conditions). 

Please also note that entities based in the UK which process personal data of EU citizens must appoint an EU representative to whom, among other things, authorities and citizens can address queries and complaints.  

What is the best thing to do (in advance)?

It is not yet clear what the situation will be after 1 May (or 1 July after an extension of the transition period). Will there be an adequacy decision (see above under a) or will things significantly change? Also because the current transition period is subject to conditions such as those mentioned above (and - theoretically - could end prematurely), it is wise to already take some steps, to be able to switch to the new situation quickly when necessary.

We are happy to provide you with a number of tips that you could possibly use in the meantime:

1. Identify the parties in the UK with whom you have a contractual relationship;
2. Check whether any personal data is exchanged, stored or otherwise processed in connection with those contracts (this will soon be the case, including business contact details of the person you correspond with);
3. Identify the categories of personal data processed and distinguish between ordinary, sensitive and special personal data;
4. Based on, among other things, the sensitivity and amount of data, determine priorities for tackling the present issue (e.g. create a number of categories, such as: urgency/lower urgency but attention needed/low relevance);
5. Determine which processing operations are necessary and could not take place outside the UK, and consider how - in the absence of an adequacy decision - you could ensure that the processing of personal data will (remain to) comply with the GDPR.
6. Also think about this new situation as early as when you enter into new agreements and make agreements on this subject straight away. Such as that, and (possibly in outline) how, you will ensure that the processing of personal data will comply with the GDPR in the absence of an adequacy decision.

• Consultation with the Data Protection Officer (DPO) / Privacy Officer is recommended.
• Record the aforementioned analysis (in connection with the accountability obligation under the GDPR).

Need help?

Do you have questions about the GDPR and Brexit? Or do you prefer some assistance with the performance of the abovementioned assessment, or in order to make the right arrangements with third parties or correct adjustments in your privacy documentation? Do you have any other (legal) questions about the Brexit? Our privacy specialists, as well as our Brexit specialists, together if appropriate, will be happy to assist. Mail to n.witt@ploum.nl and we will contact you as soon as possible.