Following guidance issued by issued by DCMS and the ICO at the end of last year (discussed in our bulletin), the European Data Protection Board (EDPB) has published its own information notice on data transfers from the EEA to the UK post-Brexit in the event of a no-deal. The notice confirms that, after 29 March 2019, if the UK leaves without a deal, transfers of personal data from the EEA to the UK can only take place using:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules
- Codes of Conduct and Certification Mechanisms
- Derogations (including, for example, explicit consent of the data subject)
Personal data transfers from the UK to the EEA will, at least transitionally, be allowed to continue as currently, due to the UK government’s decision to recognise the EU’s data protection regime as adequate.
The EDPB identifies the following five steps that a business should take to prepare in relation to transfers of personal data from the EEA to the UK:
- Identify its processing activities that will involve a personal data transfer to the UK
- Determine the appropriate data transfer instrument for its situation
- Implement the chosen data transfer instrument to be ready for 30 March 2019
- Indicate in its internal documentation that transfers will be made to the UK
- Update its privacy notice accordingly to inform individuals
The most likely mechanism to be used for such transfers will be SCCs adopted by the European Commission. The EDPB stresses that these are a ‘ready to use’ instrument and must not be modified (although they can be included in a wider contract, and additional clauses may be included provided they do not contradict the SCCs).
In addition to considering data flows between the UK and the EEA, businesses need to consider data flows from the UK to other territories, and compliance with the new ‘UK GDPR’ that will be in effect on Exit day (through The Data Protection, Privacy and Electronic Communications (Amendments etc) EU Exit) Regulations 2019 – discussed in our bulletin).