This website uses cookies

Our website uses cookies from third parties to help us analyse and improve our services and products. You can opt-out of these cookies if you wish to do so. Read more.

picture

News

Privacy and Data Protection: Brexit and third countries

maandag 22 november 2021

As we all know the UK left the EU with effect from 1 January 2021. How does this affect the transfer and processing of personal data in the UK. The Withdrawal Agreement entered into by the EU and the UK regarding the withdrawal of the UK from the EU sets out a certain transitionary period. This transitional period expired as from 1st July 2021, meaning that the UK is treated as a third country with respect to the transfer and processing of personal date. What does this mean in practice for privacy and data protection?

When can personal data be transferred to a third country?

The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) sets out the rules for the transfer of personal data from controllers or processors in the EU to third countries and international organisations, as set out in Chapter V of the GDPR. The main rule is that personal data may only be transferred to a third country in the event that adequate protection level is available.

The Adequacy Decision of the EC regarding personal data

The good news is that on the 28th June 2021, the EU has passed a Commission Implementation Decision, decision on the adequate protection of personal data by the united kingdom - general data protection regulation (Adequacy Decision). The EU Commission has carefully analysed the law and practice of the UK and concluded that the UK ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the EU to the UK. After a period of 4 years, effective from 1st July 2021, the Adequacy Decision will be reviewed by the EU.

What is the Adequacy Decision?

This Adequacy Decision means that there are no consequences for the transfer and processing of personal data between an EU member state and the UK. There is no need to take action and there is no need to use Standard Contractual Clauses, or to use the Binding Corporate Rules (BCRs).

What are the Standard Contractual Clauses?

The EU has developed so-called standard contractual clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA. These SCCs have been updated and the EU issued modernised standard contractual clauses on the 4th June 2021. 

What are the Binding Corporate Rules?

The BCRs were developed by the UK to allow multinational corporations, international organisations, and groups of companies to make intra-organisational transfers of personal data across borders in compliance with the GDPR. These companies submit the binding corporate rules for approval to the EU.

When do you use Standard Contractual Clauses or the Binding Corporate Rules?

However, any company within the EU which transfers or processes personal data  country outside EEA (European Economic Area) needs to obtain “adequate” protection. This means that either the SCCs or BCRs will need be used in order to transfer data from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA.

Schrems II

The SCCs were updated as a result of the Schrems II judgment of the Court of Justice of 16th July 2020. The court ruled that simply entering into SCCs was not sufficient. Each organisation that exports personal data outside the EEA, needs to assess case-by-case whether the legislation of the receiving country meets the protection requirements that is in line with the SCCs.

What are the innovations of the new Standard Contractual Clauses?

The new SCCs provide businesses with an easy-to-implement template and offer a more legal predictability to European businesses. The new SCCs in particular help SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers. The new SCCs covers all transfers in the entire chain from controller to (sub)processor to controller.

The main innovations of the new SCC include the following:

  1. One single entry-point covering a broad range of transfer scenarios, instead of separate set of clauses;
  2. More flexibility for complex processing chains, through a “modular approach” and by offering the possibility for more than two parties to join and use the clauses;
  3. Practical toolbox to comply with the Schrems II judgments, i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible “supplementary measures” such as encryption, that companies may take if necessary.

In the event that an organisation already uses the old SCCs, a transitionary period of 18 months is provided within which the new version of the SCCs need to be used.

Are you looking for an lawyer experienced in the international aspects of privacy law, or if you have any queries or questions relating to the processing or transfer of personal data to a third country, please contact Madelon van Breemen.

Madelon van Breemen

international

+31 (0)10 209 27 65
LinkedIn
Download vCard
Send e-mail
Yvonne Jansen

commercial property and investment

+31 (0)10 209 27 75 jansen@lvh-advocaten.nl
Madelon van Breemen

international

+31 (0)10 209 27 65 vanbreemen@lvh-advocaten.nl
David Harreman

enterprise and government

+31 (0)10 209 27 77 harreman@lvh-advocaten.nl
Rob Steenhoek

companies in financial struggle

+31 (0)10 209 27 52 steenhoek@lvh-advocaten.nl

More lawyers >
Zoek in artikelen
Bouwe Bos

conflicts

+31 (0)10 209 27 63 bos@lvh-advocaten.nl
Madelon van Breemen

international

+31 (0)10 209 27 65 vanbreemen@lvh-advocaten.nl
Daniël van Genderen

business and government

+31(0)10 209 27 75 vangenderen@lvh-advocaten.nl
Peter de Graaf

companies in financial struggle

+31 (0)10 209 27 52 degraaf@lvh-advocaten.nl
Yvonne Jansen

commercial property and investment

+31 (0)10 209 27 75 jansen@lvh-advocaten.nl
David Harreman

enterprise and government

+31 (0)10 209 27 77 harreman@lvh-advocaten.nl
Lisa Kloot

employees

+31(0)10 209 27 61 kloot@lvh-advocaten.nl
Ben van Nieuwaal

business and government

+31 (0)10 209 27 75 vannieuwaal@lvh-advocaten.nl
Michelle Reevers

aviation, enterprise and business 

+31 (0)10 209 27 75 reevers@lvh-advocaten.nl
Hans Rijntjes

conflicts

+31 (0)10 209 27 55 rijntjes@lvh-advocaten.nl
Rob Steenhoek

companies in financial struggle

+31 (0)10 209 27 52 steenhoek@lvh-advocaten.nl
Peter Verheijden

enterprise and business, employees

+31 (0)10 209 27 55 verheijden@lvh-advocaten.nl
Justin de Vries

companies in financial struggle

+31 (0)10 209 27 52 devries@lvh-advocaten.nl