Using personal data in your business or other organisation
What action you need to take regarding data protection and data flows with the EU/EEA.
This information is for UK businesses and other organisations that:
- receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
- operate in the EEA
Further information can be found on the Information Commissioner’s Office’s (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.
What personal data is
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.
An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.
Now that the UK has left the EU
Receiving personal data from the EU/EEA and already adequate third countries
The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
As a sensible precaution, before and during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs). The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.
11 of the 12 third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK. Further information can be found on the ICO’s website.
EU-UK Trade and Cooperation Agreement interim bridging mechanism for personal data
The UK regained full autonomy over its data protection rules from 1 January 2021. The EU-UK Trade and Cooperation Agreement bridging mechanism for personal data (Part Seven, Article FINPROV.10A) operates on the basis of UK law, as it stands on 1 January, and with some restrictions on the UK’s use of international data transfer powers.
The provision includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism. The UK will have full autonomy over its data protection rules. The EU does not have the power to block changes to its framework or use of its powers. If the EU objects to changes, and the UK anyway makes them, the bridge will end.
For personal data flows from the UK
There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.
For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.
Personal data provisions in the Withdrawal Agreement
This section provides an outline of the UK government’s view on the general application of the Withdrawal Agreement personal data protection provisions.
Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.
Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:
- it was acquired before the end of the transition period and processed under EU data protection law; or
- it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.
Now that the transition period has ended, EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law is therefore aligned. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
Please monitor the ICO’s website for further guidance.
Appointing EU-based representatives
Some UK data controllers and processors may also need to appoint EU-based representatives. Further information can be found on the ICO’s website, or you can call the ICO helpline on 0303 123 1113 for further information (open Monday – Friday).
Data protection and GDPR
The General Data Protection Regulation (GDPR) has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. The Information Commissioner remains the UK’s independent supervisory authority on data protection. The UK remains committed to high data protection standards.
Schrems II
On 16 July 2020 the Court of Justice of the European Union (CJEU or ECJ) upheld SCCs as a valid tool for the international transfer of personal data, but only where they (together with appropriate additional measures) provide for “essentially equivalent” protection as in the EU.
The UK has and will maintain high standards of protection for personal data which includes the same regulatory framework for data protection as the EU and therefore is clearly essentially equivalent to the EU on data protection. A full explanatory document on our framework is available online, and we would encourage EU/EEA businesses to review this to satisfy themselves that the UK is a safe destination for personal data.