Brexit and international data transfers
International data transfers have a new situation to deal with: on 31st January, 2020 and after several extensions, BREXIT occurred, with the United Kingdom leaving the European Union after 47 years.
Among many of the consequences (some yet to be known), some involve compliance with data protection laws: Europe regulations on this issue have always established that data transfers outside the European Union involve additional risks for data subjects.
Prior to Brexit, the UK was a EU Member State with all that this entailed and, therefore, the flow of personal data between companies to or from the United Kingdom was not subject to any additional action. All this changes with Brexit.
When do the changes to data protection regulations apply?
Nothing will change until December 2020 because we are in the transition period. As of January 2021, the UK will be considered, for all extents and purposes, a third country and, therefore, subject to the requirements that GDPR provides for international data transfers.
How do international business data transfer affect EU companies?
I am an EU company transferring data to the UK, what happens?
This will be considered an international transfer of personal data, so you will need to meet the requirements of the GDPR (Arts. 44 to 49).
Think about certain common services, such as web or database hosting, ERP or CRM. If the companies providing you eith these services are based in the UK, then it affects you.
Among other options you can :
- ask the data subject for express consent,
- sign standard contractual clauses (SCC) offered by the EU or
- draw up a contract and request authorisation from the Data Protection Authority.
How do international business data transfers affect UK companies?
I am a UK company processing data from European citizens. What should I do?
Companies based in the UK whose customers, employees or other personal data subjects are based in the EU as of January 2021 shall appoint an EU data protection representative for the Data Protection Authority of a Member State.
The representative will respond on behalf of the British company in case of complaints from European citizens regarding the processing of their data. The EU representative should not be confused with the Data Protection Officer. An EU representative does not have to have specific training or knowledge of data protection, but should have proven experience in dealing with complaints by individuals or in the requirements of the Data Protection Authority.
The relationship between the British company and the EU representative must be regulated in a contract and the appointment must be communicated to the Data Protection Authority.
If you are a British Startup and want to keep doing business within the EU and be 100% GDPR compliant, contact us.