GDPR and Brexit: How Data Transfers will be affected.

The European Commission has issued a statement which provides important information to companies and individuals who continue to transfer data to the UK from the EU / EEA following the withdrawal of the UK from the European Union on 31st December 2020.

As of 1 January 2021, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement, agreed by EU and UK negotiators on 24 December 2020 and provisionally applicable since the 1st of January 2021. The Trade and Cooperation Agreement provides for an interim regime (so-called ‘bridging clause’) that ensures the full continuity of data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the General Data Protection Regulation or the Law Enforcement Directive. This solution applies for a maximum period of six months and is conditional on the commitment by the UK not to change the data protection regime currently in place. In essence, this means that the UK must continue to apply the data protection rules, based on EU law, that were applicable during the transition period.

On 19 February 2021, the Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, under the General Data Protection Regulation and the Law Enforcement Directive, respectively. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board and the green light from a committee composed of representatives of the EU Member States. Once this procedure has been completed, the Commission will adopt the two adequacy decisions.

Therefore, data transfers to and from the EU remain unaffected for at least 6 months and on the condition that the privacy regime In the UK remains unaffected. Once the proposed adequacy decisions are Implemented, entities that transfer data to the UK from the EU / EEA will need to ensure that they document the change of legislative framework and the implementation of the adequacy decision.

Elias Neocleous & Co LLC can help organizations carry out this exercise effectively and to comply with their rights and obligations under the GDPR. Our Data Privacy and Cybersecurity Team consisting of legal advisors, lawyers and technical consultants with substantial collective experience and expertise in all areas of Privacy and Cyber-security and our state-of-the-art data center provide the resources and infrastructure required to provide services of the highest quality to our clients. Our collective expertise and experience in advising clients on data protection and privacy matters for more than 20 years is what really makes us stand out from the competition. Our extensive base of clients consists of local authorities, government departments and numerous multinational and national business organizations, most of which are well known household names.

To discuss the ways in which we can help you and your business, you may contact us by email at [email protected] or reach out to your usual contact at Elias Neocleous & Co. LLC.