Brexit and international data transfers
Internationl data transfers, have a new situation to deal with: on January 31, 2020 and after various extensions, BREXIT occurred, the exit of the United Kingdom of the European Union after 47 years.
Among many consequences (some still to be known), some of them have to do with compliance with data protection laws: Europe regulation in this issue, it has always assumed that data transfer outside the European territory, involves additional risks for data subjects.
Before Brexit, UK was a member of the EU with all consequences and therefore the flow of personal data between companies address or from the United Kingdom was not subject to any additional action. This changes with Brexit.
When do changes to data protection regulations apply?
Until December 2020, nothing changes because we are in the transition period; from January 2021, the UK will be considered, for all purposes, as a third country and therefore subject to the requirements that GDPR provides for international data transfers.
How does international business data transfer affect EU companies?
I am an EU company transferring data to UK, what happens?
This will be considered as an international transfer of personal data, so you will need to fulfill the requirements of the GDPR (arts. 44 to 49).
Think about some common services as web or data base hosting, ERP or CRM; if companies that provide you these services are based in the UK, it affects you.
Among other options you can :
- ask the express consent to the data subject,
- sign a standard contractual clauses (SCC) offered by the EU oro
- develop a contract and request authorization from the Data Protection Authority.
How does international business data transfer affect UK companies?
I’m an UK company processing data from European citizens, what should I do?
Companies based in the UK whose customers, employees or other personal data subject are based in the EU from January 2021, shall appoint an EU data protection representative in front the Data Protection Authority of a Member State.
The representative will respond on behalf of the British company in case of complaints from European citizen’s issues processing of their data. EU representative should not be confused with the Data Protection Officer; EU representative should not prove a specific training or knowledge on data protection, but it is advisable to demonstrate experience to deal with complaints of individuals or the requirements of the Data Protection Authority.
The relationship between the British company and EU representative must be regulated in a contract and the appointment must be communicated to the Data Protection Authority.
If you are a British Startup and want to keep doing business within the EU and be 100% GDPR compliant, contact us.