Since 1 February, 2020, the United Kingdom has withdrawn from the European Union and has become a “third country”.
The Withdrawal Agreement provides for a transition period ending on 31 December 2020. Until that date, EU law in its entirety applies to and in the United Kingdom.
After the end of the transition period, the transmission of data from the EU to the United Kingdom is a “transfer” under Chapter V of the GDPR.
Aside from the possibility of an “adequacy decision” (as there is no adequacy decision at this moment as relates to UK) the GDPR provides for the possibility of transfers on the basis of “appropriate safeguards” and “derogations”.
In the absence of an “adequacy decision” a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
For the transfer of personal data to the UK the appropriate safeguards may be as follows:
- binding corporate rules. Binding cooperate rules require an approval of the competent supervisory authority of an EU Member;
- standard data protection clauses adopted by the European Commission;
- other appropriate safeguards listed in Article 46 of GDPR.
According to Article 49 of GDPR, in the absence of an adequacy decision of the European Commission or of appropriate safeguards in the meaning of Article 46, a transfer or a set of transfers may take place on the basis of so-called “derogations” which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.
Therefore, we recommend reviewing the current cooperation with partners established in UK and secure the proper basis for transfer of data.
Relevant separation provisions of the withdrawal agreement
Article 71(1) of the Withdrawal Agreement provides that the personal data of data subjects outside the United Kingdom, where the data were – transmitted to the United Kingdom or otherwise processed in the United Kingdom before the end of the transition period; or – transmitted to the United Kingdom or otherwise processed in the United Kingdom after the end of the transition period on the basis of the Withdrawal Agreement; continue to be processed in the United Kingdom in accordance with GDPR after the end of the transition period. This ensures the continued protection of personal data of data subjects whose personal data were transmitted to the United Kingdom while the United Kingdom was a Member State and during the transition period. It also ensures such continued protection of personal data of data subjects outside the United Kingdom processed in the United Kingdom on the basis of the Withdrawal Agreement after the end of the transition period.
Appointment of a representative in the EEA
If the company is based in the UK and does not have a branch, office or other establishment in EEA state, but the company either:
- offers goods or services to individuals in the EEA, or
- monitors the behaviour of individuals in the EEA,
then it means the Company will still need to comply with the EU GDPR regarding this processing even after the end of the transition period.
As the company will not have a base inside the EEA after the transition period ends, the GDPR requires the company to appoint a representative in the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.
The company does not need to appoint a representative if either:
- it is a public authority, or
- the processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
For more information or legal advice on data protection or the provision of payment services, please contact the ECOVIS ProventusLaw team.
Prepared by ECOVIS ProventusLaw attorney at law Loreta Andziulytė and ECOVIS ProventusLaw associate Milda Šlekytė