Brexit and the transfer of personal data to the UK

The United Kingdom left the EU on 1 February 2020. When the withdrawal agreement took effect, a transition period began and will last until the end of 2020. During this time, the EU’s current rules will remain in force and the future relationship will be negotiated. During the transition period, the UK will have all the rights and obligations of a Member State. The only significant exception is that Britain will no longer participate in EU decision-making or in the activities of EU bodies.

Transferring personal data to the UK may continue under the same conditions as before the transition period. That means that the same rules apply to the transfer of personal data to the UK as to transfers within Finland until the end of 2020. Controllers and processors do not have to apply the safeguards provided for in Chapter V of the GDPR before the transition period has ended.

Transfer of personal data to the UK after the transition period

After the transition period personal data can only be legally transferred to the UK on the transfer bases referred to in Chapter V of the General Data Protection Regulation.

The European Commission will make an adequacy decision for the UK, enabling the transfer of personal data on that basis. The Commission's adequacy decision would constitute the primary basis for data transfers. Deciding that a third country offers an adequate level of protection will require a comprehensive survey of the third country’ justice system.

Further information on the future relationship between the EU and the UK will be provided later during the transition period.

More information:
Information about Brexit on Prime Minister’s Office’s website
Rules on data transfers to third countries on the Commission’s website