Brexit & GDPR: Data transfer into third countries

According to the requirements of the GDPR any transfer of personal data to a third country (country outside the EU) is only permissible if this third country ensures an adequate level of protection and the level of protection for natural persons guaranteed by the GDPR is not undermined. The rules on the permissibility of a data transfer to third countries are incorporated into Art 44-49 GDPR. Since the UK is no longer an EU member state, it qualifies as a third country, although this qualification has been delayed during the bridge period, until 30 June 2021 at the latest.

Adequacy decision

As mentioned previously, the question whether an adequate level of protection is ensured for the data transfer to a third country is determined, i.e. by an adequacy decision. In case an adequacy decision was taken by the EU Commission, data controllers from an EU member states may transfer personal data to this third country without additional guarantees being required.

Alternative lawful basis

In addition to an adequacy decision, the following may - among others - also serve as lawful basis for data transfers to the UK or to any third country:

  • standard data protection clauses adopted by the EU Commission;
  • ad hoc contracts authorised by the competent data protection authority;
  • binding corporate rules (BCR) authorised by the competent data protection authority;
  • explicit consent of data subjects after having been informed of the possible risks of the absence of adequacy decision and appropriate safeguards; or
  • in the absence of an adequacy decision or appropriate safeguards: performance or conclusion of a contract, vital interests or establishment, exercise or defence of legal claims etc.

It needs to be carefully evaluated which of the alternative lawful basis provided for by the GDPR will be suitable for the data transfer in question. This requires a case-by-case examination including risk evaluation (frequency of data transfer, types of data, other processing criteria, etc).

In the light of the recent ‘Schrems’ decision of the ECJ, in case you would like to rely on standard data protection clauses adopted by the EU Commission, you must also conduct a risk assessment as to whether the legal framework of the target country offers an appropriate level of protection. What this exactly in the practice means, still needs to be seen.

Sanctions for breach of Article 44 pp GDPR

The absence of the lawful basis for the data transfer qualifies as a breach of the GDPR, in which case a fine up to EUR 20 million or 4 % of the worldwide annual turnover may be imposed. Companies need therefore to be prepared for the event that the EU Commission will not have adopted an adequacy decision on the UK by the end of the bridge period.

Autor: Dr. Karolin Nelles