In a Notice to Stakeholders from 9th January, the EU Commission points out that the UK will with its withdraw from the Union (aka „the Brexit“) become a ‚third country‘ from 30 March 2019, 00:00h (CET).
„In view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, all stakeholders processing personal data are reminded of legal repercussions, which need to be considered when the United Kingdom becomes a third country“, the Commission admonishes private parties.
Data Exporters from the remaining EU Member states are required to provide adequate safeguards as of the withdrawal date, the EU rules for transfer of personal data to third countries apply. In the absence of an „adequacy decision“ for the UK, which would allow the free flow of personal data from the continent across the Channel, the controller or processor will need to have additional safeguards for any data export to the UK, unless such transfer is based the on specific cases of the so-called „derogations“ of the adequacy requirement (e.g. consent, performance of a contract, exercise of legal claims or for important reasons of public interest).
„Preparing for the withdrawal is not just a matter for EU and national authorities but also for private parties“, the Commission says.
Even if almost every data protection compliance project these days will be focused on the specific date of May 25th companies with a cross-channel data link should also keep March 30th 2019 in mind, when the United Kingdom becomes ‚third country‘.