EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE AND CONSUMERS
Brussels, 6 July 2020
REV1 – replaces the notice dated 9 January 2018
NOTICE TO STAKEHOLDERS
WITHDRAWAL OF THE UNITED KINGDOM AND EU RULES IN THE FIELD OF
DATA PROTECTION
Since 1 February 2020, the United Kingdom has withdrawn from the European Union and has become a “third country”.1 The Withdrawal Agreement2 provides for a transition period ending on 31 December 2020.3 Until that date, EU law in its entirety applies to and in the United Kingdom.4
During the transition period, the EU and the United Kingdom will negotiate an agreement on a new partnership, providing notably for a free trade area. However, it is not certain whether such an agreement will be concluded and will enter into force at the end of the transition period. In any event, such an agreement would create a relationship which in terms of market access conditions will be very different from the United Kingdom’s participation in the internal market,5 in the EU Customs Union, and in the VAT and excise duty area.
It is also clear that after the end of the transition period, any transfer of personal data to the United Kingdom other than that governed by Article 71(1) of the Withdrawal Agreement will not be treated as sharing of data within the Union. It will need to comply with the relevant Union rules applicable to transfers of personal data to third countries.
1 A third country is a country not member of the EU.
2 Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, OJ L 29, 31.1.2020, p. 7 (“Withdrawal Agreement”).
3 The transition period may, before 1 July 2020, be extended once for up to 1 or 2 years (Article 132(1) of the Withdrawal Agreement). The UK government has so far ruled out such an extension.
4 Subject to certain exceptions provided for in Article 127 of the Withdrawal Agreement, none of which is relevant in the context of this notice.
5 In particular, a free trade agreement does not provide for internal market concepts (in the area of goods and services) such as mutual recognition, the “country of origin principle”, and harmonisation. Nor does a free trade agreement remove customs formalities and controls, including those concerning the origin of goods and their input, as well as prohibitions and restrictions for imports and exports.
Therefore, all interested parties, and especially economic operators, are reminded of the legal situation applicable after the end of the transition period (Part A below)6. This notice also explains certain relevant separation provisions of the Withdrawal Agreement (Part B below).
A. LEGAL SITUATION AFTER THE END OF THE TRANSITION PERIOD – TRANSFER OF PERSONAL DATA TO THE UNITED KINGDOM
After the end of the transition period, the transmission of data from the EU to the United Kingdom is a “transfer” under Chapter V of Regulation (EU) 2016/679 (the GDPR).7 Aside from the possibility of an “adequacy decision”, the Regulation (EU) 2016/679 provides for the possibility of transfers on the basis of “appropriate safeguards” (see below, section 1) and “derogations”(see below, section 2).
1. APPROPRIATE SAFEGUARDS
1.1. Standard data protection clauses
According to Article 46(1),2)(c) of Regulation (EU) 2016/679, personal data may be transferred on the basis of standard protection clauses adopted by the Commission.8
1.2. Binding corporate rules
According to Article 46(1)(2)(b) of Regulation (EU) 2016/679, personal data may be transferred on the basis of binding cooperate rules.
Binding cooperate rules require an approval of the competent supervisory authority of an EU Member State in accordance with the relevant provisions of Regulation (EU) 2016/679.9 Binding corporate rules approved since the date of application of Regulation (EU) 2016/679, i.e. 25 May 2018,10 are valid throughout the EU.
Binding corporate rules approved by the competent supervisory authority of the United Kingdom since 25 May 2018 no longer provide appropriate safeguards after the end of the transition period, unless these binding corporate rules are subject to a new approval from a competent authority of an
6 Please note that this notice concerns only exchanges falling under the scope of the Regulation (EU) 2016/679.
7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1.
8 https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts- transfer-personal-data-third-countries_en
9 Article 47 of Regulation (EU) 2016/679.
10 Article 99(2) of Regulation (EU) 2016/679.
EU Member State confirming that they provide appropriate safeguards for international transfer of personal data after the end of the transition period.11
As regards binding corporate rules approved before 25 May 2018 by the competent supervisory authority in the United Kingdom, they can continue to be used as a valid transfer mechanism under Regulation (EU) 2016/679 after the end of the transition period only if any connection to the legal order of the United Kingdom, such as the corporate entity designated, the competent courts or the competent supervisory authority, is replaced by equivalent roles for corporate entities and competent authorities within the EU.12 13
1.3. Codes of conduct and certification
According to Article 46(1)(2)(e) of Regulation (EU) 2016/679, personal data may be transferred on the basis of Codes of Conduct approved pursuant to Article 40 of Regulation (EU) 2016/679 together with binding and enforceable commitments of the controller or processor in the third country (hereinafter referred to as “transfer codes of conduct”).
According to Article 46(1)(2)(f) of Regulation (EU) 2016/679, personal data may be transferred on the basis of an approved certification pursuant to Article 42 of Regulation (EU) 2016/679 together with binding and enforceable commitments of the controller or processor in the third country.
Recourse to Codes of conducts and certification as transfer mechanism will be further clarified by guidance being prepared by the European Data Protection Board.14
11 The European Data Protection Board (EDPB) will soon publish an Information note addressing specifically how to deal in practice with BCRs approved by the UK Information Commissioner Office.
12 As regards the identification of the competent supervisory authority in the European Economic Area who shall act as Binding Corporate Rule Lead, see Working Document 263 rev.01 of the Article 29 Working Party, setting forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under Regulation (EU) 2016/679. The document has been endorsed by the European Data Protection Board.
13 More details, including on the procedure to follow, will be included in the forthcoming Information note of the EDPB.
14 In case they were available before the end of the transition period , stakeholders are informed that:
– codes of conduct approved by the competent supervisory authority of the United Kingdom or
– certification approved certification bodies accredited by the supervisory authority of the United Kingdom or by accreditation bodies of the United Kingdom no longer provide for appropriate safeguards after the end of the transition period.
2. DEROGATIONS
According to Article 49 of Regulation (EU) 2016/679, in the absence of an adequacy decision of the Commission or of appropriate safeguards in the meaning of Article 46, a transfer or a set of transfers may take place on the basis of so-called “derogations” which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.15
B. RELEVANT SEPARATION PROVISIONS OF THE WITHDRAWAL AGREEMENT
Article 71(1) of the Withdrawal Agreement provides that the personal data of data subjects outside the United Kingdom, where the data were
– transmitted to the United Kingdom or otherwise processed in the United Kingdom before the end of the transition period; or
– transmitted to the United Kingdom or otherwise processed in the United Kingdom after the end of the transition period on the basis of the Withdrawal Agreement;
continue to be processed in the United Kingdom in accordance with Regulation (EU) 2016/679 after the end of the transition period.16
This ensures the continued protection of personal data of data subjects whose personal data were transmitted to the United Kingdom while the United Kingdom was a Member State and during the transition period. It also ensures such continued protection of personal data of data subjects outside the United Kingdom processed in the United Kingdom on the basis of the Withdrawal Agreement after the end of the transition period.
The website of the Commission on EU rules on personal data protection (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en) provides general information concerning Union legislation on personal data protection. These pages will be updated with further information, where necessary.
European Commission
Directorate-General Justice and Consumers
15 See also the European Data Protection Board Guidelines 2/2018 of 25 May 2018.
16 However, should the Commission adopt an adequacy decision that the United Kingdom offers adequate data protection pursuant to Article 45(3) of Regulation (EU) 2016/679, the Regulation (EU) 2016/679 will cease to apply (see Article 71(2) of the Withdrawal Agreement). In case that, subsequently, such an adequacy decision ceases to be applicable (for example, a repeal of the adequacy decision under Article 45(5) of Regulation (EU) 2016/679, or annulment by the Court), Article 71(3) of the Withdrawal Agreement applies.