If your company has a supplier, parent company, subsidiary, partner or collaborator established in the United Kingdom, it is very likely that they are transferring personal data to that country. In that case it is extremely convenient know what can be done, if the Brexit, to be able to continue transferring that information and benefiting from those relationships without breaking the regulations on data protection or expose yourself to harsh penalties for doing so.
And, once the separation from the United Kingdom has been completed, communications of personal data to said country will be considered as International Data Transfers (TID), becoming a third country of the EU and the EEA.
The General Data Protection Regulation (GDPR) It is the strictest privacy regulation worldwide. It follows that, if the data is sent to a country outside the European Economic Area (EEA), the level of security and guarantees decreases. Thus, the general rule is that These data flows are not allowed unless they comply any of the following assumptions:
- That the country of destination of the data has an Adequacy Decision: The European Commission, after studying the country's privacy regulations, considers that it has sufficient guarantees to be in line with the European level, as was the recent case of Japan on January 24. However, although the United Kingdom has adapted its national legislation to the European Data Protection Regulation (the GDPR), the European Data Protection Board or EDPB (the former Article 29 Working Group) already points out that, as of today Today, it does not have such an adequacy decision and the truth is that its processing can take precious time during which data flows to the United Kingdom cannot be paralyzed.
- That adequate safeguards have been adopted: even without the destination country having an adequacy decision, data transfer can be enabled if there are any of the guarantees that support it, of which the most important are:
- Standard clauses: contractual provisions that oblige the recipient of the data to adopt measures and guarantees that allow a level of protection comparable to the European one.
- Binding corporate ruless: better known by their English acronym, the BCR (Binding Corporate Rules), consist of a set of legally binding political rules or codes of conduct that a group of companies designs and implements, with the purpose of offering sufficient guarantees so that data transfers Intra group are safe. It is an exclusive mechanism for business groups, and must be submitted to the relevant Control Authority for review and, where appropriate, acceptance.
- Codes of conduct and certification mechanisms: These mechanisms are a novelty introduced by the GDPR. The codes of conduct consist of sectoral self-regulation standards, the approach is similar to that of the BCR but instead of an industrial group, applied to a business sector. On the other hand, the GDPR establishes the possibility of creating certification mechanisms regarding data protection (such as seals or brands) in order to demonstrate compliance with the applicable regulations. The EDPB is currently working on a series of guidelines to harmonize these conditions.
- That any of the assessed exceptions are applicable: The GDPR leaves some margin, establishing that, even when the TID is directed to a destination that is not considered secure, nor has the communication been protected with adequate guarantees, it can be carried out if it can be covered by some of the exceptional situations it contemplates. The CEPD already warns that, since these are exceptions, they must be interpreted strictly, and they must be used only occasionally and not as a general rule.
In this way, even if the United Kingdom fails to reach an agreement before its final departure, or if said agreement does not include provisions regarding data protection, would not necessarily lead to the isolation of EU personal data flows, although its fluidity will depend on the decision that the European Union makes, and the anticipation or rapid response on the part of companies in the rest of Europe that have a relationship with the United Kingdom.
January 2020 update:
On December 31, 2020, the “Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part".
This agreement is exhaustive in nature and, among many other aspects, deals with the regulation of data flows between the European Union and the United Kingdom. Thus, in article FINPROV.10ª of this Agreement it is established that the transmission of personal data from the EU to the United Kingdom will not be considered an International Data Transfer until four months (plus two extensions) have elapsed from the date of the Agreement.
The parties to the Agreement anticipate that, before this deadline, all the necessary actions will have been taken so that the United Kingdom has an Adequacy Decision that covers international personal data flows from the EU to it.
Authors: Fernando Díaz y Ruth Benito
