Data Protection Academy » Data Protection News » GDPR and Brexit
GDPR and Brexit
Even if it currently looks as if the exit of the United Kingdom (UK) from the EU will be postponed further, it makes sense to deal with the focal point of Brexit now. Because with the UK's exit, it will be declared a third country.
With regard to the General Data Protection Regulation (GDPR) this means that personal data can only be transferred under certain conditions. This is because the GDPR always initially assumes that no equivalent level of data protection is guaranteed when classifying countries outside the EU.
In the case of the United Kingdom of Great Britain and Northern Ireland there are two scenarios:
Possible Brexit scenarios
Scenario 1: Deal-Brexit / regulated exit
- The GDPR continues to apply for the transitional period until the end of 2020.
- The transitional period may be extended by one year, with a deadline of 01.07.2020.
- Firstly, there is no impact on cooperation.
Scenario 2: No-Deal-Brexit / unregulated exit
- The UK becomes a third country within the meaning of the GDPR.
- Concrete effects on the transfer of personal data.
In what case do entrepreneurs need to prepare for the no deal brexit?
If entrepreneurs answer 'yes' to any of the following questions, measures must be taken to ensure the level of data protection:
- Are branches, sales staff or even the headquarters of your company located in the UK?
- Do you transfer personal data to service providers or cooperation partners based in the UK?
- Are subcontractors of your contract processors located in the UK? Please note that this also applies to subcontractor situations (e.g. computer centres).
External Data Protection Officer
You are welcome to appoint us as your external data protection officer (DPO). We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Five steps to prepare for a no-deal Brexit
- Determine which processing operations entail a transfer of personal data to the United Kingdom of Great Britain and Northern Ireland
- Determine the appropriate data transfer instrument (e.g. standard contractual clauses, binding corporate rules) for your situation.
- Convert the selected data transfer instrument so that it is ready for Brexit.
- Make a note in your internal documentation that transfers will be made to the UK.
- Update your privacy policy to inform individuals accordingly.
Three concrete measures
The independent federal and state data protection supervisory authorities recommend the following measures in particular:
- The information sheet on data processing and the privacy statement of a website shall provide information on the transfer of data to the third country and on the appropriate data protection safeguards used.
- When a data subject exercises his or her right of access, he or she must also be informed about the transfer of data to the third country and the appropriate data protection safeguards applied.
- The list of processing activities shall identify transfers of data to the third country as such and provide the other information required in this context.
- COVID-19 and data protection - March 25, 2020
- Data protection in the USA - part 3 of the delegation visit - December 6, 2019
- Data protection in the USA - part 2 of the delegation visit - December 3, 2019