Brexit and GDPR

Andreas Maetzler on October 14th, 2020

We put together information on the most burning questions when it comes to Brexit and GDPR and we have an offer for you to get the topic off your mind in an easy and hands-on way!

Situation until the end of the transition period

After the UK left the EU, a transition period started for the negotiation of the future relationship between the UK and the EU. The transition period will end on December 31st, 2020.

References: ICO FAQs

Situation from January 1st 2021 onwards

In principal EU law will no longer be applicable in the UK from January 1st onwards and the UK may decide which part of the EU legal framework to retain in domestic law. Regarding GDPR, the UK government has already published its UK version.

'UK GDPR' will come into force after the transition period and, together with an amended version of the Data Protection Act 2018, will build the privacy framework in the UK. The amendments in the UK GDPR pertain especially to the provision on the supervisory authority and other technical provisions to make the UK GDPR fit for an UK-only application whereas the rights and obligations stay nearly the same. The new data protection framework has already been passed which means that the compliance requirements imposed on UK businesses and the rights for data subjects will continue.

References: Keeling Schedule for GDPR, Keeling Schedule for Data Protection Act 2018, Data Protection Exit Regulation, ICO: Will the GDPR still apply?, ICO FAQs



Do UK companies need to appoint an EU representative?

With Brexit, the UK has become from the perspective of the EU a "third country" meaning that it is no longer a Member State and the rules for international data transfer apply. According to Art 27 GDPR controllers and processors not established in the EU need to appoint a representative when:

  • offering goods or services to individuals in the EEA
  • monitoring the behaviour of individuals in the EEA.

The ICO informs UK companies about the obligation to appoint a representative for more than a year. Such obligation did not change throughout the different Brexit scenarios. So, in either case of Brexit with a deal or with no deal Brexit, UK companies will be required to appoint an EU representative in the event they reach out to the European market without having an establishment within the EU. As a law firm we offer you a SaaS solution for representation in all EU member states with a special Brexit offer.

Resources ICO: Requirement for an EU representative, ICO FAQs

Do non-UK companies need to appoint a UK representative?

The UK government has stated that from January 1st 2021 onwards, non-UK companies (so either companies in the EU or in third countries) need to appoint a UK representative when

  • offering goods or services to individuals in the UK
  • monitoring the behaviour of individuals in the UK

without an establishment in the UK. Thus, the UK version of GDPR effective from January 1st 2021 contains an obligation to appoint a UK representative in Art 27 UK GDPR. The ICO also mentions such obligation on various occasions. We have adapted our SaaS solution for UK representation and can offer you our LegalTech services from our new UK office.

Resources: Keeling Schedule for GDPR, ICO: Requirement for an EU representative, ICO FAQs

What do you need to know about the EU-UK data transfer?

The UK government has announced that data flow from the UK to the EU will not be restricted. The question is whether data will be allowed to flow in the opposite direction, from the EU into the UK, without any restrictions.

At the end of the transition period the data transfer from the EU to the UK will fall under the provision for international data transfer. The easiest way to allow for data transfer would be an adequacy decision, which is currently subject to negotiations. Even before the decision of the ECJ C-311/18 (Schrems II) the EDPB indicated concerns on the UK-US agreement on data transfers and saw potential impacts on an adequacy decision. Schrems II inevitably needs to address such concerns and the risk that an adequacy decision will not be granted.

Irrespective of an adequacy decision, the EU Commission has issued a notice to all stakeholders outlining the possibility of transfers on the basis of "appropriate safeguards".

Resources: ICO FAQs, EU Commission: Notice to Stakeholders, EDPB: letter to the EU Parliament, ECJ C-311/18 (Schrems II)

Special BREXIT Offer *

Appoint your EU or UK representative free of charge until the requirements enter into force and get a 10% discount for 2021 on top!

How it works: Apply your voucher “brexit2021".

* Applicable for UK and EU companies only.