Data Sharing – What to do post-Brexit
Brexit, where are we now?
Following the UK leaving the EU on 31 January 2020 and an extended transition period the European Commission awarded the UK two adequacy decisions for transfers of personal data to the United Kingdom, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) respectively.
Transfers from the UK to the EEA (and other countries deemed adequate by the EU) continue as previously utilising a similar framework for transfer under the UK regime as they did under the EU framework. The UK has adopted all of the existing European Commission adequacy decisions. In addition, the UK has declared that the EEA is a ‘safe place’ to transfer personal data, and therefore no other gateway mechanism will be required for UK to EEA transfers. This is reflected in a UK-specific version of the GDPR (known as the “UK GDPR”) which took effect on 1 January 2021. The UK GDPR provides a replica regime for transfers of personal data outside the UK which is exactly like the rules in the EU GDPR for ex-EEA transfers. In addition, the UK has the power to make its own adequacy decisions’ relating to third countries moving forward.
Transfers from the EEA to the UK. Following the UK being given an adequacy decision from the European Commission, data transfers are able to flow on the basis of other adequate countries. However, following the ‘Schrems II’ judgement, whenever data is to be transferred from the EEA to the UK or the UK to any country outside the EEA, it is now necessary to conduct a “Data Transfer Assessment”. A template, where the UK is receiving data from the EEA is located here in order to evidence the measures taken by the College to document the effectiveness of the measures being implemented and the necessity for the data transfer. Alternatively, if data is to be sent from the UK to non EEA countries please contact the DPO for suitable alternative documentation.
Transfers from the UK to non-EEA countries. Following the UK leaving the EEA it has adopted a similar framework to allow transfers to non-EEA or ‘non-adequate countries’ when an alternative provision or mechanism for data transfer is in place. For more information about such provisions, please see Sharing personal data | Administration and support services | Imperial College London
- the following countries are in the EEA: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein and Norway;
- if personal data is shared and processed solely within the UK – no further measures need to be put in place at this time;
- if personal data is transferred solely from the UK to an organisation in the EEA (and not back to the UK) – no further measures need to be put in place at this time;
- if personal data is transferred solely from the UK to an organisation outside the EEA, the current rules will continue to apply as before.
What if I have questions in relation to the above recommendations or need help preparing any data protection documents?
If you have questions in relation to steps to take now in the context of data protection or need help with any data protection documents, please contact in the first instance the College’s DPO or the College’s Deputy DPO via Data-Protection@Imperial.ac.uk for further information.
Further publicly available information
ICO statement re UK Adequacy: Adequacy | ICO
UK Government statement re UK Adequacy: EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK - GOV.UK (www.gov.uk)
European Commission statement re UK Adequacy: Adequacy decisions | European Commission (europa.eu)