The European Commission’s adequacy decision on data protection in the United Kingdom

On 28 June 2021, the European Commission announced the adoption of the adequacy decision in respect of the United Kingdom in the area of data protection. This decision means that although the United Kingdom has left the European Union, it is considered that the United Kingdom (hereinafter also referred to as the UK) still provides adequate personal data protection in compliance with the European Union standards. Therefore, companies are exempt from the additional assessment of the UK as a third country when transferring data to this country.

What is important to know about the adequacy decision?

  • It is declared that the United Kingdom still is a country that applies the same personal data protection measures as it did while being in the European Union. The European Commission has also noted that access to personal data by public authorities and the right of data subjects to complain about violations of their rights are properly regulated in the United Kingdom.
  • The period of validity of 4 years, i.e. the so-called “sunset clause”, has been set for the adequacy decision, which means that the decision will expire four years after its entry into force. The adequacy status of the United Kingdom might be renewed if the UK continues to ensure adequate data protection measures and standards.
  • The adequacy decision includes a clause on personal data processing for the purpose of UK migration control. This issue is excluded from the adequacy decision adopted by the European Commission but it will be reassessed once the UK legislation is amended.

What does this decision of the European Commission mean in practice?

  • Companies do not need to sign the standard data transfer conditions approved by the European Commission, approve rules binding on the company, etc. The basis for personal data transfers to the UK is the above adequacy decision of the European Commission.
  • Companies remain obliged to enter into contracts with data controllers in accordance with Article 28 of the BDAR;
  • Companies need to assess whether their data transfers do not fall within the applicable exception for data transfers for the purposes of the UK migration control;
  • Companies have to assess whether the personal data transferred to the UK are not further transferred to other non-EEA countries, in which case the sub-processor (sub-controller) must be assessed and indicated.

Despite the fact that the European Commission has adopted the adequacy decision in respect of the UK, the European Commission has indicated that it will continuously monitor the UK legal framework and regulatory developments as the the main purpose is to ensure the highest standards of data protection.

Contact the experts of ECOVIS ProventusLaw for more information or advice on data protection issues.

Prepared by Brigida Bacienė, Data Protection Expert of ECOVIS ProventusLaw, and Andrius Karmonas, the Lawyer of ECOVIS ProventusLaw.


Newsletter SubscriptionGet in touch