Brexit and the transfer of personal data to the UK

When the transition period for the withdrawal from the EU ended, the United Kingdom lost all its rights and obligations as a Member State. Due to the withdrawal from the EU, data protection regulations concerning third countries must also be applied to the transfers of personal data between the EEA and the United Kingdom. Personal data can be transferred to the United Kingdom based on a decision of the European Commission on the adequacy of data protection. 

The European Commission made two adequacy decisions concerning the United Kingdom under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive in June 2021. The adequacy decisions of the Commission serve as the primary bases of transfer for transfers of personal data from the EEA to the United Kingdom. 

When personal data are transferred based on an adequacy decision, the other bases of transfer laid down in Chapter V of the GDPR are not required. However, compliance with the other aspects of GDPR must still be ensured in these situations, too. The transfers of personal data must be permitted under the GDPR, and the data protection principles must be followed in the transfers. 

Adequacy decisions concerning the United Kingdom 

• Commission Implementing Decision pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom
• Commission Implementing Decision pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom

The adequacy decisions by the Commission include a sunset clause stating that the decisions shall apply for a period of four years. We will report any changes related to the decisions on our website. 

The transfers of personal data made for immigration control by the United Kingdom fall outside the scope of application of the adequacy decision made under the General Data Protection Regulation (GDPR). 

More information:
Information about Brexit on Prime Minister’s Office’s website

Rules on data transfers to third countries on the Commission’s website

Draft of the EU-UK Trade and Cooperation Agreement on the website of the European Commission

Answers to frequently asked questions about the EU-UK Trade and Cooperation Agreement on the website of the European Commission