Brexit and the transfer of personal data to the UK
The withdrawal of the United Kingdom from the EU came into effect on 1 February 2020. On 24 December 2020, the European Commission and the UK reach an agreement on their future relationship. When the transition period ended at the end of 2020, the UK lost all its rights and obligations as a Member State.
The EU and the UK have agreed in their Trade and Cooperation Agreement on bridging period, during which the transfer of personal data to the UK may continue under the same conditions as before and during the transition period until 30 June 2021.
This means that, until the end of the bridging period, the same rules apply to the transfer of personal data to the UK as to transfers within the EU. Controllers and processors do not have to apply the safeguards provided for in Chapter V of the GDPR before the bridging period has ended.
Transfer of personal data to the UK after the transition period
The European Commission may issue two data protection adequacy decisions for the UK under the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive. In such case, the adequacy decisions issued by the Commission will take priority over other bases for transfer. We will publish information about any adequacy decision on our website.
If no adequacy decisions are issued or the level of protection of personal data is found to be inadequate, after the bridging period personal data may be legally transferred to the UK only by applying one of the transfer bases provided for in Chapter V of the General Data Protection Regulation.
European Data Protection Board’s guidelines on the transfer of personal data to the UK after the transition period
- Statement on the end of the Brexit transition period (pdf on EDPB's website)
- Information note on data transfers under the GDPR to the United Kingdom after the transition period (pdf on EDPB's website)
Information about Brexit on Prime Minister’s Office’s website