In six weeks the UK will leave the EU and the likelihood of a no-deal Brexit will increase with every day that passes without a “deal”. Theresa May has just failed in Parliament with a draft resolution that should confirm both a mandate to renegotiate the Brexit deal and a refusal to withdraw from the EU without an agreement.
Companies are therefore well advised to prepare as quickly as possible for the scenario of a no-deal Brexit. In this case, the UK will become a third country in terms of data protection law to which data transfers are only possible under certain conditions. The “Information note on data transfers under the GDPR in the event of a no-deal Brexit” of the European Data Protection Committee offers assistance in order to be able to carry out a compliant data transfers in the future. According to this, various adjustments have to be made in the area of data protection. This applies to data transfers within a company, within the company group and to third parties.
1. Examination of the data and persons concerned
First of all, the company should check whether and which data are transmitted to the UK. And don’t forget “exotic” topics, such as travel bookings for employees. Since this important preparatory work takes some time from our experience, companies should start this check immediately.
Only when it is known which data will be transferred to the UK for which purpose further necessary measures can be taken.
2. Appropriate guarantees for the transfer
The problem with regard to the Brexit is the short time remaining to take appropriate action. That is why, for example, a European Commission decision on adequacy that will bring many benefits will not be possible anymore before 30 March 2019. Even if such a decision is likely to be taken in the future, companies will have to resort to other means until this decision is taken.
These solution can be taken directly from the GDPR. Either one of the exceptions listed in Art. 49 GDPR is relevant or the recipient guarantees an adequate level of data protection by means of appropriate guarantees. However, these exceptional provisions are to be interpreted narrowly and are only relevant in the explicitly mentioned cases.
Groups which already have binding corporate rules can in future simply base their transfer to the UK within the group on these. However, the remaining time is also too short to draft and implement new binding corporate rules within the group.
However, further possibilities remain for lawful data transfers at short notice. First of all, the conclusion of the so-called standard data protection clauses should be considered. These are model clauses published by the European Commission for various scenarios (order processing or transfer between two controllers). However, the standard data protection clauses may not be changed by the parties. If the clauses are amended, they are considered as an individual contract, which must be approved by the competent supervisory authority.
In individual cases, the transfer may also be based on the consent of the person concerned. As in the past, however, consent is certainly not suitable for regular data transfers.
3. Further necessary adjustments
In addition to securing the actual transfer, other points must be taken into account in the company in order to establish data protection compliance:
- Adaptation of data protection information in accordance with Art. 13/14 DSGVO and all documents containing such information
- Adaptation of the processing directories concerned
- Adaptation of the information process in accordance with Art. 15 DSGVO
- Possible first-time performance of a data protection impact assessment
These adaptations should be carried out in consultation with experts, as the transfer of data to third countries poses particular data protection problems.
Every controller which transfers personal data from an EU member state to the UK must prepare itself for a no-deal Brexit by now at the latest in order to be able to guarantee compliance with data protection law after 29 March 2019. This is also recommended by German supervisory authorities. Otherwise there is a risk of proceedings by the supervisory authorities and fines.