Brexit means Brexit. And out they came. Finally. So now we dare to write a bit about what Brexit means in terms of data protection rules.
I Agreement between the EU and the UK / UK, it appears that 2020 is a transitional period in which EU rules continue to apply in the UK. See thus articles 126 - 127:
There is a transitional or transitional period beginning on the day of entry into force of this Agreement and ending on 31 December 2020.
Article 127 (1):
Unless otherwise provided for in this Agreement, EU law shall apply to and in the United Kingdom during the transitional period.
Article 127 (3):
During the transitional period, EU law applicable pursuant to paragraph 1 shall apply. XNUMX. Paragraph XNUMX shall have the same legal effects vis-à-vis and in the United Kingdom as in the Union and its Member States and shall be interpreted and applied in accordance with the same methods and general principles applicable in the Union.
What applies during the 2020 transition period?
Everything is as it used to be. UK is not one third according to GDPR in 2020. So in 2020, for example, you should not state that you may be transferring data to the UK:
During the transitional period, therefore, Great Britain would not apply as a third country within the meaning of Chapter V DSGVO, so that responsible or contractors in the EU who did not have to apply personal data in the island state who did not have to apply similar regulations.
Also, you do not need to use the EU Commission's Standard Data Protection Clause (Standard Contractual Clause) to bring data to the UK.
What applies after the transitional period?
As the UK is now out of the EU, the EU can start examining whether data protection in the UK is adequate. It appears on page 4 of “Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom”(Highlighted in bold):
The Union's data protection rules provide for a framework allowing the European Commission to recognize a third country's data protection standards as providing an adequate level of protection, thereby facilitating transfers of personal data to that third country. On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom's withdrawal, endeavoring to adopt decisions by the end of 2020, if the applicable conditions are met.
In the UK, at the same time, it will also be easy to transfer personal data to the EU:
Noting that the United Kingdom will establish its own international transfer regime, the United Kingdom will, in the same timeframe, take steps to ensure the comparable facilitation of transfers of personal data to the Union, if the applicable conditions are met.
With some luck, things should come together around the year 2021: The EU has approved the UK as a secure third country and the UK has made it easy to transfer personal data to the EU.
Find out if you have data processing in the UK in 2021
At least listings, risk assessments and disclosures need to be updated if you have treatment in the UK after 2021.
If sending personal data to the UK as a data controller, it should be fairly straightforward to map: Do you have recipients, including subsidiaries, in the UK or not?
As a data controller you can also have processing in the UK through its data processing chains. It might be a bit messy to find out: Maybe the sub-processor does not process your data in the UK, but then it may be that the sub-processor's data processor has it.
Therefore, by the occasional supervision of your data processors, you can request that they state whether they have knowledge of treatment in the UK further down the processor chain.
It can be quite difficult to get to the bottom of whether the final processor processes personal data on your behalf in the UK or not. However, if supervision is used as a tool, it can at least get off to a good start - and it must be possible to achieve this before 2021.