- 18 Feb 2019
- Philip Nabben
The United Kingdom will, following the Brexit, no longer fall within the scope of the GDPR and the country has not (yet) been included on the European Committee’s list of countries with an adequate level of protection. You can click here for my earlier article dated 4 February 2019.
As the Brexit date keeps drawing nearer, the European Data Protection Board has drafted an instruction document on February 12th, 2019, outlining the transfer of personal data under the GDPR in case of a ‘no-deal’ Brexit. The Data Protection Board is a separate committee consisting of the heads of the supervisory authorities of all EU member states.
The main guideline in case of transfer of personal data from an EU member state to a non-EU country is that the relevant organisation may only transfer personal data to a third-country with an adequate level of protection. That list of countries [link] offering an adequate level of protection is very limited. And in case of a ‘no-deal’ Brexit, it has been established that the United Kingdom has not (yet) been included in that list. This means that transfer would only be permitted on the grounds of one of the statutory stipulations from the GDPR.
The Data Protection Board has drafted a 5-step plan that organisations need to follow to prepare for a ‘no-deal’ Brexit:
- Establish which processing activities require the transfer of personal data to the United Kingdom;
- Determine which instrument for transfer of personal data is applicable to your situation (these could for example be the EU standard contractual clauses as mentioned in my earlier article);
- Ensure that the elected instrument for the transfer of personal data is ready for use on 30 March 2019;
- Indicate in your internal documents that personal data will be transferred to the United Kingdom;
- Update your privacy statement to inform the readers about the new situation.
For a more detailed overview of the instructions we refer to the text of the instructions.