Brexit Data Flows Blog

EU-UK Data flows update

January 6th, 2021 Posted in Compliance, Data Protection

EU-UK Data – a six month reprieve

On 24 December 2020 the UK and the EU finally reached a Brexit trade deal under the draft EU-UK Trade and Cooperation Agreement. Under this agreement, information will continue to flow at the end of the transition period (31 December 2020) without any change for the next 6 months, to allow the European Commission to complete its adequacy assessment of the UK’s data protection regime.

The ICO released a statement on 28 December 2020 in response to UK Government’s announcement on the extended period for personal data flows. In its statement, the ICO recommends that organisations who transfer personal data between the EU/EEA and UK should put in place alternative transfer mechanisms, such as standard contractual or binding corporate rules, to avoid any interruption to the free flow of personal data from the EU to UK.

EU-UK representatives

One other thing to think about is having an establishment in the United Kingdom and the European Union. If you are offering goods or services to, monitoring the behaviour of or processing personal data about individuals in the EEA Article 27 of the GDPR requires that you must appoint a European representative if you don’t have an existing establishment in the EEA. A reciprocal obligation is contained in the UK GDPR meaning that organisations in the EEA without a UK establishment will need to appoint a UK representative if they process data about individuals in the UK.

Although the transfer of data has been addressed for the time being, organisations still need to consider whether they need an Article 27 representative in the UK or the EU. If your organisation collects personal information in the EU and you are not established in the EU, you will need an EU representative.

UK organisations didn’t need to do this previously because they were established in the UK, which was obviously an EU member state. Following the end of the Brexit transition period, the GDPR regime applicable in the UK is the ‘UK GDPR’ which includes an Article 27 obligation for the UK. As such, if you if your organisation collects personal data in the UK and you are not established in the UK, you will need an UK representative.

Need help?

If you have questions about post-Brexit data flows, or need input on representatives, please get in touch with us. We’d be happy to discuss these issues with you in more detail.

Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.