Current status

After we last reported that an adequacy decision for the transfer of personal data from the EU to the United Kingdom is currently still pending, there is now finally movement in the discussion.

Thus, the European Commission has now on 19/02/2021 communicated more that it has initiated the procedure for the adoption of two adequacy decisions (1st General Data Protection Regulation and 2nd Law Enforcement Directive) for the transfer of personal data to the UK.

Given the current legal uncertainties surrounding the transfer of personal data between companies on both sides of the Channel, this is good news by any measure. As an interim solution, data flows between the EU and the UK will be secured under a conditional transitional arrangement in the EU-UK Trade and Cooperation Agreement. As a result of this, data transfers of personal data from the EU to the UK are temporarily not considered as a transfer to a third country and are therefore possible without further safeguards such as standard contractual clauses or corporate binding rules.

However, this is only valid until a possible adequacy decision by the European Commission has been adopted, but for a maximum of four months and is extendable by two months and in this respect expires on June 30, 2021 at the latest, so that the relevant legal issues would have to be renegotiated again.
Currently, adequacy decisions exist for the transfer of personal data to the following third countries:

– Andorra
– Argentina
– Canada
– Faroe Islands
– Guernsey
– Israel
– Isle of Man
– Japan
– Jersey
– New Zealand
– Switzerland
– Uruguay

Outlook and next steps

The next step is to obtain an opinion from the European Data Protection Board (EDPB), which in turn is composed of representatives of the EU Member States. Once this process is further completed, the Commission could eventually adopt the two adequacy decisions.

We will keep you informed about the further current events and point out that, irrespective of the question regarding the transfer of data, the appointment of a UK-GDPR representative could also be necessary for controllers or processors based outside the UK and a EU-GDPR representative might be required for controllers and processors in the UK that are processing data of individuals in the EU. Please see our related services.