The European Data Protection Board (“EDPB”) has issued a note on how to approach overseas personal data transfers with the United Kingdom in case there would be a no-deal Brexit.
No- Deal Brexit
First of all what is understood under a no-deal Brexit? We explained that in our earlier post: what “a hard Brexit” actually meant. In short: if the UK and the European Union do not reach a Withdrawal Agreement before the 29 March 2019. There will be no transition period for the UK to leave the European Union in an orderly fashion. The UK will leave the EU with all current trading and regulatory links ending immediately as it departs.
EDPB on Data Transfers in case of a No- Deal Brexit
The EDPB distinguishes two possible transfers, those from the EEA (European Economic Area) to the UK and transfers from the UK to the EEA. Where it must be noted that if there is no deal, the EDPB does not have any authority over what the UK government decides with respect to the personal data of its citizens.
The start date for possible safeguards to be in place is 30 March at 00.00 AM.
Data Transfers to The United Kingdom
In case of a no deal, the transfer can only be made under (one of) the following safeguards:
– Standard or ad hoc Data Protection Clauses;
– Binding Corporate Rules;
– Codes of Conduct and Certification Mechanisms;
– Derogations (which can only be used of none of the above are in place).
If you haven´t got any safeguards in place yet, the most likely to use are the Standard Contractual Clauses. Those clauses cannot be negotiated and are therefore very quick and easy to apply.
The rest of the options are, although valid, more time consuming and it is doubtful that you will have these in place on time. However you can rely on these safeguards if you already had them in place.
Derogations are described in article 49 GDPR (the General Data Protection Regulation) and can be used if you don´t have other safeguards in place. But the issue with derogations is that they can only be used for punctual, non repetitive, transfers.
Preparation data transfers to the UK in case of a no- deal
The EDPB has identified five steps organisations should follow if the transfer to the UK:
- identify what data processing involves a transfer to the UK;
- determine the appropriate safeguard (which at this moment in time will probably be the Standard Contractual Clauses);
- Implement that safeguard before the 30 of March (13 working days to go);
- Update your internal documents and privacy notice to inform your Data Subjects.
Data Transfers from the UK
It is up to the UK government to decide on what measures should be taken when transferring personal data to the EEA. At the moment transfers may be effectuated as previously when the UK was still a member of the Union.
The entire note can be found here: EDPB on Data Transfers in case No-Deal Brexit.