Brexit and GDPR

Andreas Maetzler on October 14th, 2020

We put together information on the most burning questions when it comes to Brexit and GDPR and we have an offer for you to get the topic off your mind in an easy and hands-on way.

Situation until the end of the transition period

After the UK has left the EU, a transition period started for the negotiation of the future relationship between the UK and the EU. The transition period will end on December 31st, 2020.

References: ICO FAQs

Situation from January 1st 2021 onwards

In principal EU law will no longer be applicable in the UK from January 1st onwards and the UK may decide which part of the EU legal framework to retain in domestic law. Regarding the GDPR the UK government already published its UK version.

'UK GDPR' will enter into force after the transition period and will build together with an amended version of the Data Protection Act 2018 the privacy framework in the UK. The amendments in the UK GDPR pertain especially the provision on the supervisory authority and other technical provisions to make the UK GDPR fit for an UK only application whereas the rights and obligations stay nearly the same. The new data protection framework has already been passed which means that the compliance requirements imposed on UK businesses and the rights for data subjects will continue.

References: Keeling Schedule for GDPR, Keeling Schedule for Data Protection Act 2018, Data Protection Exit Regulation, ICO: Will the GDPR still apply?, ICO FAQs



Do UK companies need to appoint an EU representative?

With Brexit the UK has become from the perspective of the EU a "third country" meaning that it is no longer a Member State and the rules for international data transfer apply. According to Art 27 GDPR controllers and processors not established in the EU need to appoint a representative when:

  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA.

The ICO informs UK companies about the obligation to appoint a representative for more than an year. Such obligation did not change throughout the different Brexit scenarios. So in case of a Brexit with a deal as well as in case of a no deal Brexit UK companies will be required to appoint an EU representative in case they reach out to the European market without having an establishment within the EU. As a law firm we offer you a SaaS solution for the representation in all EU member states with a special Brexit offer

Resources ICO: Requirement for an EU representative, ICO FAQs

Do non-UK companies need to appoint a UK representative?

The UK government already stated that from January 1st, 2021, onwards non-UK companies, so either companies in the EU or in third countries, need to appoint a UK representative when

  • offering goods or services to individuals in the UK
  • monitoring the behaviour of individuals in the UK

without an establishment in the UK. Thus, the UK version of GDPR effective from January 1st, 2021, contains an obligation to appoint a UK representative in Art 27 UK GDPR. The ICO also mentions such obligation on various occasions. We adopted our SaaS solution for the UK representation and offer you our legaltech service also from our new UK office.

Resources: Keeling Schedule for GDPR, ICO: Requirement for an EU representative, ICO FAQs

What do you need to know on the EU-UK data transfer?

The UK government already announced that the data flow from the UK to the EU will not be restricted. The question is, if data can also flow from the other side so from the EU to the UK without any restrictions:

At the end of the transition period the data transfer from the EU to the UK will be falls under the provision for international data transfer. The easiest way to allow for the data transfer would be an adequacy decision, which is currently subject to negotiations. Even before the decision of the ECJ C-311/18 (Schrems II) the EDPB indicated concerns on the UK-US agreement on data transfers and saw potential impacts on an adequacy decision. Schrems II inevitably needs to increase such concerns and the risk that an adequacy decision will not be granted.

Irrespective of an adequacy decision the EU Commission issued a notice to all stakeholders outlining the possibility of transfers on the basis of "appropriate safeguards".

Resources: ICO FAQs, EU Commission: Notice to Stakeholders, EDPB: letter to the EU Parliament, ECJ C-311/18 (Schrems II)

Brexit Offer *

Free until needed - appoint your EU or UK representative now free of charge until the requirements enter into force and get a 10% discount for 2021.

How it works: Start the onboarding and apply the voucher “brexit2021”. We open an account for you with all features so you can do your setup. The account is free of charge for the transition period and we grant you another 10% discount for 2021. To perform a KYC check via a penny transfer we only charge EUR 1 to verify your company's existence.

* Applicable for UK and EU companies only.