Brexit Data Flows Blog

EU-UK Data Flows Update

By Ray Orife - January 6th, 2021 Posted in Data Protection

A Six Month Reprieve

On 24 December 2020 the UK and the EU finally reached a Brexit trade deal under the draft EU-UK Trade and Cooperation Agreement. Under this agreement, data will continue to flow at the end of the transition period (31 December 2020) without any change for the next 6 months, to allow the European Commission to complete its adequacy assessment of the UK’s data protection regime.

The ICO released a statement on 28 December 2020 in response to UK Government’s announcement on the extended period for personal data flows. In its statement, the ICO recommends that organisations who transfer personal data between the EU/EEA and UK should put in place alternative transfer mechanisms, such as standard contractual or binding corporate rules, to avoid any interruption to the free flow of personal data from the EU to UK.

EU & UK Representatives

One other thing to think about is having an establishment in the UK and EU. If you are offering goods or services to, monitoring the behaviour of or processing personal data about individuals in the EEA Article 27 of the GDPR requires that you must appoint a European representative if you don’t have an existing establishment in the EEA. A reciprocal obligation is contained in the UK GDPR meaning that organisations in the EEA without a UK establishment will need to appoint a UK representative if they process data about individuals in the UK.

Although the transfer of data has been addressed for the time being, organisations still need to consider whether they need an Article 27 representative in the UK or the EU. If your organisation collects personal data in the EU and you are not established in the EU, you will need an EU representative.

UK organisations didn’t need to do this previously because they were established in the UK, which was obviously an EU member state. Following the end of the Brexit transition period, the GDPR regime applicable in the UK is the ‘UK GDPR’ which includes an Article 27 obligation for the UK. As such, if you if your organisation collects personal data in the UK and you are not established in the UK, you will need an UK representative.

Need Help?

If you have questions about post Brexit data flows, or need input on representatives, please get in touch with us. We’d be happy to discuss these issues with you in more detail.