What action you need to take regarding data protection and data flows with the EU/EEA after the end of the transition period.
New rules for January 2021
The UK has left the EU, and the transition period after Brexit comes to an end this year.
This page tells you what you'll need to do from 1 January 2021. It will be updated if anything changes.
Check what else you need to do during the transition period.
This information is for UK businesses and other organisations that:
- receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
- operate in the EEA
Further information can be found on the Information Commissioner’s Office’s (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.
What personal data is
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.
An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.
Looking ahead to 1 January 2021
Receiving personal data from the EU/EEA and already adequate third countries
From 1 January 2021, your organisation will need to have an alternative transfer mechanism, such as Standard Contractual Clauses (SCCs) in place with EU/EEA counterparts to ensure you can keep personal data flowing lawfully from them.
The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.
With only weeks to go, the EU has yet to make a decision as to whether they accept that the UK’s data protection regime is still adequate.
Given time is running out before the end of the transition period, you need to act now in order to keep personal data flowing lawfully
You should work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms. For most organisations, the most relevant of these will be SCCs. The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.
11 of the 12 third countries deemed adequate by the EU have currently informed us they will maintain unrestricted personal data flows with the UK from 2021. Further information can be found on the ICO’s website.
For personal data flows from the UK
There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.
For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.
Personal data provisions in the Withdrawal Agreement
This section provides an outline of the UK government’s view on the general application of the Withdrawal Agreement personal data protection provisions.
Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data in the event that the UK has not been granted full adequacy decisions by the end of the transition period. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.
Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:
- it was acquired before the end of the transition period and processed under EU data protection law; or
- it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.
At the end of the transition period, EU data protection law will be converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law will therefore be aligned at the end of the transition period. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
Please monitor the ICO’s website for further guidance.
Appointing EU-based representatives
Some UK data controllers and processors may also need to appoint EU-based representatives from 1st January 2021. Further information can be found on the ICO’s website, or you can call the ICO helpline on 0303 123 1113 for further information (open Monday - Friday).
Data protection and GDPR
During the transition period, there has been no change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), have continued to apply throughout the transition period alongside the Data Protection Act 2018. The Information Commissioner remains the UK’s independent supervisory authority on data protection.
After the end of the transition period, GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. The UK remains committed to high data protection standards.
During the transition period
During the transition period, personal data is able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK. There is also no requirement for UK data controllers or processors to appoint EU-based representatives for the duration of the transition period.
On 16 July 2020 the Court of Justice of the European Union (CJEU or ECJ) upheld SCCs as a valid tool for the international transfer of personal data, but only where they (together with appropriate additional measures) provide for “essentially equivalent” protection as in the EU.
The UK has and will maintain high standards of protection for personal data which includes, at the point the Transition Period ends, the same regulatory framework for data protection as the EU and therefore is clearly essentially equivalent to the EU on data protection. A full explanatory document on our framework is available online, and we would encourage EU/EEA businesses to review this to satisfy themselves that the UK is a safe destination for personal data.