If your organization uses third parties who process personal data outside the European Economic Area (EEA), additional measures must be taken. In practise, use of the ‘Standard Contractual Clauses’ as additional measures is common. This mechanism was likely to be used for processing of personal data in the United Kingdom post Brexit. However, an adequacy decision from the European Commission for the UK seems at hand. Encouraging news for companies that for example use service providers located in the UK to process personal data.
Since February 1st, the UK officially left the EEA. With regard to transferring of personal data the UK and the EEA agreed to a transit period of 4 months. This transit period can be extended for 2 months until July 1st 2021. However unclear at the time of writing, the transit period is most likely to be extended. Expectations are that the European Commission will adopt an adequacy decision for the UK before the 1st of July.
Last February, the European Commission submitted a draft decision to the European Data Protection Board (EDPB), the cooperation of EER’s data protection authorities. In April, the EDPB has given a predominantly positive advice, mainly because the UK has largely incorporated the European privacy legislation (GDPR) into its national legislation.
The significance of this ‘adequate’ classification is that an adequate level of protection – similar to the GDPR – of the processing of personal data is guaranteed. No additional measures are necessary for data exchange to or from the UK. Positive news, as it prevents companies from having to draft and conclude completely new processor agreements with organizations in the UK.
We recommend you to make an inventory of contracting parties who process personal data in the UK. Your processing register can serve as a guideline. If the adequacy decision for the UK becomes reality, processing agreements only have to be adjusted to a limited extend. For example the provision with regard to processing outside the EEA. Agreed adjustments or additions can be attached in writing to the existing agreement. Another recommendation is to update your privacy policy.
If no adequacy decision is adopted, there’s a lot work to be done for companies. Therefore, hopefully the European Commission will take action expeditiously.
Questions? We’re happy to be your partner in business.