Brexit and the transfer of personal data to the UK
When the transition period for the withdrawal from the EU ended, the United Kingdom lost all its rights and obligations as a Member State. Due to the withdrawal from the EU, data protection regulations concerning third countries must also be applied to the transfers of personal data between the EEA and the United Kingdom. Personal data can be transferred to the United Kingdom starting from 28 June 2021 based on a decision of the European Commission on the adequacy of data protection.
The European Commission has made two adequacy decisions concerning the United Kingdom under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive in June 2021. The adequacy decisions of the Commission serve as the primary bases of transfer for transfers of personal data from the EEA to the United Kingdom.
When personal data are transferred based on an adequacy decision, the other bases of transfer laid down in Chapter V of the GDPR are not required. However, compliance with the other aspects of GDPR must still be ensured in these situations, too. The transfers of personal data must be permitted under the GDPR, and the data protection principles must be followed in the transfers.
Adequacy decisions concerning the United Kingdom
- Commission Implementing Decision pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom
- Commission Implementing Decision pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom
The adequacy decisions by the Commission include a sunset clause stating that the decisions shall apply for a period of four years. We will report any changes related to the decisions on our website.
The transfers of personal data made for immigration control by the United Kingdom fall outside the scope of application of the adequacy decision made under the General Data Protection Regulation (GDPR).
Information about Brexit on Prime Minister’s Office’s website