You are in:

DATA PROTECTION

The UK left the EU on 31 January and the Withdrawal Agreement entered into force. If the UK does not request any extension before 1 July 2020, it will remain in force until 31 December 2020.

The application of the Withdrawal Agreement means that during its period in force, the UK is no longer a member of the EU, but must continue to apply Union law under certain conditions; it also continues subject to the decisions of the Court of Justice. Moreover, although it will no longer take part in all the EU institutions, agencies, bodies and working groups, it may continue to assume some responsibilities derived from EU law.

May data continue to be sent to the EU?

Although the UK is no longer a member of the EU, under the Withdrawal Agreement it must continue to apply Union law to all data of subjects outside the UK that have been processed before the end of the transition period. This means that for the purpose of exporting data, the UK's situation is comparable to that of a Member State.

To send data to the EU it is not necessary to have the support of any of the transfer instruments (adequacy decision, contractual clauses, binding corporate rules, etc.) under the General Data Protection Regulation (GDPR).

Companies that are transferring data to the UK may continue to do so in the same way they have done so far; and it is possible to begin new transfers under the same criteria applied so far, for as long as the Withdrawal Agreement is in force.

What will happen when the transition period covered by the Withdrawal Agreement ends?

Future relations between the EU and the UK with respect to matters including data protection must be established in the agreements that will begin to be negotiated following the entry into force of the Withdrawal Agreement.

In the area of data protection, the option at present most likely is that the European Commission could adopt an "adequacy decision" recognising that the UK offers a level of protection essentially equivalent to that provided within the framework of Union law.

The Withdrawal Agreement itself states expressly that "the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom's withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met".

In order to adopt these decisions, the Commission must assess the legal order and practice on data protection in candidate countries for adequacy, and may negotiate with them the introduction of legal changes for the practical application of rules to ensure the existence of this adequate level of protection. The decisions must be reviewed regularly to ensure that the conditions allowing their adoption continue to be met.

If in the end there is an adequacy declaration through a Commission decision, data may be sent to the UK without any type of formal requirement, in the same way in practice as would be done for communication of data between Member States.

Does the start of the transition period have any other effect on international data transfers?

No. The UK's supervisory authority will continue to act as one of the supervisory authorities for all purposes with respect to the instruments guaranteeing international data transfers under the GDPR.

For example, the UK's supervisory authority may continue to act as the lead authority to which a group of companies submit an application for authorisation of binding corporate rules (BCR) and must approve them following the same procedures used from the start of the application of the GDPR.

The only difference is that the UK's supervisory authority may not take part as a member with voting right at the meetings of the European Data Protection Board that validate the decisions expected to be adopted by the supervisory authorities in the Member States.

How will the supervisory system be applied during the transition period?

The GDPR establishes a relatively complex supervisory system, based on the "one-stop-shop" mechanism".

Briefly, under this system when a data controller or processor has a number of establishments in the EU, the data processing is supervised in cooperation by all the supervisory authorities of the countries where there are establishments, under the direction and coordination of a "lead" supervisory authority, which is the supervisory authority of the Member State where the data controller or processor has its main establishment. The same principle is applicable when the processing significantly affects persons in various Member States, whether or not the controller or processor has a number of establishments in the EU.

According to the terms of the Withdrawal Agreement, the UK's supervisory authority may continue to act as a lead authority or affected authority in procedures involving data controllers or processors with an establishment in the UK, whether main or not, or persons in the UK who are significantly affected by this processing.

In this participation, the UK's supervisory authority must apply the provisions of the GDPR that regulate supervisory procedures, subject to any decisions that may be adopted by the European Data Protection Board or the Court of Justice of the European Union in cases in which the GDPR provides for their intervention.

In simple terms, the supervisory model designed by the GDPR will continue to be applicable as it has been so far with respect to the UK's supervisory authority while the Withdrawal Agreement is in force.

As happened in the case of international transfers, the only and substantial difference is that the UK's supervisory authority may not participate as a member with voting rights at the meetings of the European Data Protection Board, called to settle disputes between authorities in the application of these supervisory provisions.

Non official translation