The scenario of a no-deal Brexit has become ever more likely since Brexit hardliner Boris Johnson was appointed British Prime Minister on July 24, 2019. He already announced his intention to lead the United Kingdom out of the EU with or without a deal by October 31, 2019 at the latest. Insofar we would like to follow up on our previous article and again refer to the obligations under data protection law in case of a hard Brexit

After a hard Brexit, the UK will definitely become a third country to which personal data may no longer be transferred without meeting certain conditions. In addition, the transfer of personal data to a third country must be taken into account in relation to the information to be provided under Article 13 GDPR, the right of access by data subjects, the maintaining of records of processing activities, or the examination of the need to carry out a data protection impact assessment. The term “transfer” not only comprises the active transfer of data, but also the option of accessing such data (such as by reading out a database).

As long as the EU Commission does not issue an adequacy decision, thus conveying on the United Kingdom an adequate level of data protection comparable to that of the EU, companies must take other actions in terms of data protection law during data transfer to prevent possible data protection violations and the risk of fines. Under the GDPR, the transfer to third countries is generally permissible if, in addition to a legal basis for the data transfer (usually the initiating or performing of contractual relationships or consent pursuant to Article 6(1)(a) and/or (b) GDPR), there are additional safeguardsfor permissible data transfer to the country of destination. The following can be used for this purpose:

1.   the conclusion of EU standard contractual clauses: These are standard contracts on data protection, which are to be adopted unchanged.

2.   the creation of group-wide rules for corporate data transfer to third countries, referred to as binding corporate rules: introducing such standards is a long and costly process, however.

3.   individually negotiated data protection clauses between the parties: these, in turn, require the approval of the competent supervisory authority in each individual case.

Since the binding corporate rules and individual data protection contracts are time-consuming and costly, it is generally more practicable, for small and medium-sized businesses in particular, to use the EU standard contractual clauses.

As an exception, data may also be transferred without safeguards if data subjects have expressly consented to the data transfer to a third country and have been adequately informed of the lack of an adequate level of data protection. A transfer is also possible should the data be necessary for pre-contractual measures or for the performance of a contract. This relates in particular to everyday cases in which data subjects have initiated the pre-contractual or contractual measures, such as reservations of hotels and international transport services, processing of international transfers/orders by banks, or dispatch of ordered goods for the fulfilment of the contract.

In addition to ensuring that personal data transferred to the UK is in compliance with data protection regulations, companies should also draft or adapt the above-mentioned documentation required by the GDPR. Particularly the following actions must be taken into account:

  • documenting the third country transfer (and its lawfulness) in the records of processing activities
  • informing on the data transfer to a third country and on the safeguards available or the relevant exceptions in the privacy policy
  • informing on the data transfer to a third country in response to a request for information
  • examining the need to carry out a data protection impact assessment based on the data transfer to a third country
  • adapting existing contracts on order processing (e.g., HR data processing by a group company in the UK)

The websites of the Baden-Württemberg State Data Protection Commissioner for Data Protection and Freedom of Information and of the Bavarian Data Protection Commissioner offer good overviews of the topic and additional information.