Brexit and data protection

Brexit and data protection

The process of the United Kingdom’s exit from the European Union(Brexit) culminated on January 1, 2021 and it will be considered as a “third country” that are outside the territory of the Union, with the consequences that this entails in terms of data protection, mainly regarding international data transfers.

EU – UK Agreement

TheUK-EU Trade and Cooperation Agreement (UK-EU Trade and Cooperation Agreement), in its point 176, states the following:

The UK and the EU have reaffirmed their commitment to higher standards of personal data protection, which contribute to trust in the digital economy and the development of trade. high standards of personal data protection, which contribute to trust in the digital economy and the development of trade and are a key element in the legally effective implementation of the cooperation agreement.

Currently, the UK has its own data protection regulations, DATA PROTECTION ACT 2018, where its Chapter 5 talks about transfers of personal data outside the UK, which may not take place, unless the transfer is necessary and proportionate in accordance with the lawful functions of the Controller, or when it is related to national security or intelligence services issues.

However, as in any transition period, a vactio legis period was agreed, where data transfers between the United Kingdom and the European Union will continue as before, under the rules of the GDPR, being this period of 6 months.

If you have dealings with UK companies or UK citizens

That is to say, until June 30, 2021 we will not see substantial changes, but it will be a period in which companies that have commercial relations with English companies will have to adopt essential measures to continue such commercial relationship after the dead line.

What are these measures to be adopted by our companies located in Spain?

The measures to be taken are as follows, in relation to international transfers:

— First, analyze and detect if the business activities include data transfers to the United Kingdom.

— If so, verify through which instrument such transfers were made.

In view of the new legal situation in the United Kingdom, choose one of the following options to carry out data transfers:

  • Standard data protection clauses
  • Binding corporate standards
  • Certification mechanisms
  • Codes of conduct
  • Binding and enforceable legal instrument between the various authorities

Which would be the same options established by the GDPR in its Article 46, in the case of the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union(CJEU).

On the other hand, at an internal level, companies in Spain should ask their Data Protection Consultant or their DPD to update their documents as follows:

Analyze the need to prepare an Impact Assessment

Update your Treatment Activity Log

Update the section on Data Transfers and Assignment in the Data Protection Policies. Data Protection Policies.

The big novelty is imposed by the UK Data Protection Agency (Information Commissioner’s Office, ICO) as it will oblige any company offering goods or services to individuals in the UK, and which do not have representative offices or subsidiaries with a physical presence in the UK territory, to appoint a representative in the UK, this in compliance with the provisions of the Data Protection Act 2018.

In order to appoint this representative in the United Kingdom, the following requirements must be met:

— The appointment shall be made through a written contract.

— The contract must state that the person acts as the company’s representative in the United Kingdom for all matters relating to data protection.

— That the designated person has specific training in data protection; a kind of Data Protection Officer (DPD / DPO).

— This figure of the representative must be reflected in the Data Protection Policies.

In all this new universe of changes brought about by the Brexit, it remains for the European Commission to qualify the United Kingdom as a country that offers sufficient guarantees in terms of data protection, for the purpose of avoiding additional or exceptional requirements due to lack of guarantees.

Therefore, we will have to be attentive to how this matter is resolved and to determine possible further actions.

Put yourself in expert hands

Business Adapter® data protection in Valencia helps you:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]CONTACT[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!