The EU rules for personal data transfers to third countries will apply to the UK from 30 March 2019, subject to any transitional arrangement agreed by UK and EU officials in the run up to the exit of the UK from the EU, according to the European Commission's notice to stakeholders.

The notice sets out the mechanisms that could apply for the continued free flow of personal data between the UK and the EU once the departure of the UK from the EU has taken effect.

Adequacy decision

The free flow of personal data between the UK and the EU could continue to take place based on an adequacy decision issued by the Commission confirming that the UK's data protection framework ensures an adequate level of protection of personal data (requirement indicated in Article 41 of the GDPR).

Personal data transfer subject to appropriate safeguards

Where there has been no adequacy decision, it is down to each organisation to ensure that adequate safeguards are put in place for the protection of personal data transferred outside the EU (Article 42 of the GDPR). According to the notice, these safeguards may be provided by:

  • Standard data protection clauses: in the form of template transfer clauses adopted by the Commission and available on its website.
  • Binding Corporate Rules (BCRs): BCRs constitute agreements governing transfers made between organisations within their group of entities or subsidiaries. The ICO has recently clarified the status of the authorisation and application process for BCRs under the GDPR. More information on this can be found in our previous update.
  • Approved Codes of Conduct: compliance with a Code of Conduct approved by a supervisory authority together with binding and enforceable commitments of the controller or the processor in the third country.
  • Approved certification mechanisms: certification under an approved certification mechanism together with binding and enforceable commitments of the controller or the processor in the third country.

Derogations for personal data transfer in certain circumstances

In the absence of an adequacy decision or appropriate safeguards, personal data transfers may take place through the derogations mechanism which allows transfers in specific cases including: transfers based on the individual's consent; where it is necessary for the performance of a contract; and where it is necessary for important reasons of public interest.

Comment and next steps

The notice aims to remind all stakeholders processing personal data of the legal repercussions which need to be considered when the UK becomes a third country. The notice should be read in conjunction with the recent Commission position paper indicating the key principles which need to be considered in relation to data received or processed before the withdrawal date (and after the withdrawal date, subject to the withdrawal agreement). More information on the position paper can be found on our previous update.

The Commission also announced that it has set up a stakeholder group comprised of industry, civil society and academics, which will discuss this topic in further detail.