tratamiento datos

This post is also available in: Español

On December 15, the European Data Protection Board (EDPB) released a statement about the end of the Brexit transition period on December 31.

The EDPB Chair, Andrea Jelinek, signed the statement, recalling that the United Kingdom (UK) will no longer apply the General Data Protection Regulation (GDPR) to the processing of personal data from January 1. The UK will apply its own separate legal framework to personal data processing.

As a result, any exchanges of personal data between the European Economic Area (EEA) and the UK will qualify as international data transfers, subject to Chapter 5 of the GDPR.

The statement recalls that, in the absence of an adequacy decision applicable to the UK under article 45 GDPR, these personal data transfers will require (i) appropriate safeguards; (ii) enforceable data subject rights; and (iii) effective legal remedies, in accordance with article 46 GDPR.

For as long as there is no adequacy decision by the European Commission (EC), article 46 GDPR requires all data processing activities between the EEA and the UK to be performed through (i) legally binding and enforceable instruments between public authorities and bodies; (ii) binding corporate rules; (iii) standard data protection clauses allowed by supervisors and approved by the EC; or (iv) codes of conduct or certification mechanisms complying with the GDPR requirements.

The Chair also notes that in the absence of an adequacy decision or appropriate safeguards for international data transfers involving the UK, a derogation provided in article 49 GDPR will allow the transfer of personal data to the UK. This derogation allows personal data transfers to third countries in specific cases, including when (i) the data subject has explicitly consented to the proposed transfer, having been informed of the potential risks; (ii) the transfer is necessary for the performance of a contract on behalf of the data subject; or (iii) the transfer is necessary for reasons of public interest or to defend the data subject’s claims.

The statement recalls that these derogations are exceptional and must be interpreted restrictively, since they relate to occasional and non-repetitive processing activities.

The EDPB also recalls the consequences of Brexit for the GDPR “one-stop-shop mechanism” (OSS mechanism), applying to cases where a single controller or processor performs data processing activities in various EU countries. In these cases, the OSS mechanism provides for a single data protection authority: the supervisory authority of the controller’s or processor’s main establishment in the EEA. This mechanism will no longer apply to the UK from January 1, 2021. The statement stresses that, over recent months, the EDPB has been in contact with the UK data protection authority (Information Commissioner’s Office, ICO) to enable a smooth transition. The aim is to ensure that EEA authorities follow a shared and efficient approach in handling existing complaints and crossborder cases involving the ICO, to minimize delays and inconveniences for affected complainants.

The statement underlines that the decision to benefit from the OSS mechanism in crossborder cases is up to the individual controllers and processors, who may choose to set up a new main establishment in the EEA after the end of the Brexit transition period.

Finally, the statement notes that controllers and processors without a main establishment in the EEA, but whose processing activities are subject to the GDPR under article 3(2), must designate a representative in the EU as required by article 27 GDPR. Supervisory authorities and data subjects may refer all processing issues to the EU representative, in order to ensure compliance with the GDPR.

Authors: Pedro Miguel Santos and Albert Agustinoy

This post is also available in: Español



103 artículos