Guidance

Using personal data in your business or other organisation during and after the transition period

What you should do when transferring people’s personal data between the UK and the EU/EEA.

The UK has left the EU

This page tells you what you'll need to do from 1 January 2021. It'll be updated if anything changes.

You can read about the transition period.

This information is for UK businesses and other organisations that:

  • receive personal data from organisations abroad, including the European Economic Area (EEA), which includes the EU
  • operate in the EEA

What personal data is

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Data protection and GDPR

During the transition period there will be no immediate change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), will continue to apply during the transition period alongside the Data Protection Act 2018. The Information Commissioner will remain the UK’s independent supervisory authority on data protection.

What you need to know about the transition period, data flows and EU-based representatives

During the transition period, personal data will be able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK.

UK organisations will still be able to send personal data legally from the UK to the EEA and 13 countries deemed adequate by the EU.

To date, 12 of the 13 third countries deemed adequate by the EU have informed us they will maintain unrestricted personal data flows with the UK. Further information can be found on the ICO’s website.

During the transition period, there will be no need for UK data controllers or processors to appoint EU-based representatives.

Check the ICO website for further information.

Looking ahead to 1 January 2021

The EU has an established mechanism to allow the unrestricted transfer (subject to GDPR compliance) of personal data to countries outside the EU, called adequacy decisions. The EU has committed in the Political Declaration to the European Commission to begin its adequacy assessment of the UK as soon as possible after the UK leaves the EU, endeavouring to adopt an adequacy decision during the transition period if the applicable conditions are met.

If the EU has not made an adequacy decision in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to receive personal data from EU/EEA countries in the future. The ICO also provides more detailed guidance on what actions might be necessary.

EU law (as it stands at the end of the transition period) could continue to apply to certain sets of data after the end of the transition period, in the event that the EU has not made an adequacy decision in respect of the UK.

Some UK data controllers and processors may need to appoint EU-based representatives from 1st January 2021.

EU-based representatives (Article 27 of the GDPR)

Businesses and other organisations based outside the EU/EEA which target data subjects in the EU/EEA by offering them goods or services or monitoring their behaviour will be subject to the GDPR and will usually need to appoint representatives in the EU/EEA.

Check the ICO website for further information. Or, call the ICO helpline on 0303 123 1113 for further information (open Monday - Friday).

Published 6 February 2019