Brexit and the transfer of personal data to the UK

If the United Kingdom leaves the EU without a deal, it will immediately revert to a non-EU, non-EEA ‘third country’. In that eventuality, personal data could only be legally transferred to the UK on the transfer bases referred to in Chapter V of the General Data Protection Regulation.

The European Commission could make an adequacy decision for the UK, enabling the transfer of personal data on that basis. In that case, the Commission's adequacy decision would constitute the primary basis for data transfers. However, deciding that a third country offers an adequate level of protection will require preparation and a comprehensive survey of the third country’ justice system. In the absence of such a decision, transfers of personal data will require the appropriate safeguards referred to in Article 46 of the GDPR. If appropriate safeguards are not applicable as a transfer basis either, the derogations for specific situations provided for in Article 49 of the GDPR may be applied in certain limited cases.

The European Council agreed to delay the United Kingdom’s withdrawal date until 31 January 2020. This flexible extension allows the UK to leave the EU even earlier, should the withdrawal agreement take effect prior to that date. In that scenario, Brexit could become effective either on 1 December 2019 or 1 January 2020.

If your organisation is transferring personal data to the UK

  1. Conduct a review of all personal data you are transferring to the UK.
  2. If such transfers will continue after Brexit:
  • Determine the appropriate basis for the transfers under Chapter V of the GDPR.
  • Make sure that the basis for transfer is in place before the implementation of Brexit.
  • Update your organisation’s data protection documentation with regard to the transfers and inform your customers if necessary.

Please note that some transfer bases require longer preparations, while others can be implemented fairly quickly.

Immediately available bases for transfer:

  • Standard Contractual Clauses adopted by the Commission (SCC)
  • Binding Corporate Rules (BCR), provided they are in place and cover the UK
  • Derogations for specific situations (Article 49)

Transfer bases requiring more preparation:

  • Codes of Conduct
  • Certification mechanisms
  • Provisions inserted into administrative arrangements

Transfers of personal data from the UK into the EU/EEA

The government of the United Kingdom has stated that it intends to maintain the free movement of data from the UK into the European Union and European Economic Area. The UK government also intends to recognise the EU's decisions on the adequacy of data protection, which would permit their use for the transfer of data from the UK to countries or international organisations whose level of data protection has been deemed sufficient by the European Union.

Further information:
Rules on data transfers to third countries on the Commission’s website
The European Data Protection Board’s Information Note on data transfers under the GDPR in the event of a no-deal Brexit