The EU Commission adopted an adequacy decision for the UK and thereby confirmed that the UK GDPR provides an equivalent level of protection to that in the EU. What this means for your UK-based company and which obligations you may have despite the adequacy decision will be shown in this article.
The adequacy decision for the UK
Following Brexit, the UK is now governed by the UK General Data Protection Regulation (UK GDPR), which makes it a third country under the EU General Data Protection Regulation (GDPR). To enable the free flow of data from the EU to a third country, the EU Commission can adopt an adequacy decision according to Article 45 GDPR.
On 28 June 2021 the EU Commission formally adopted such an adequacy decision for the UK, confirming that the UK has a data protection level equivalent to the EU level of protection. On this basis, data can continue to flow from the EU to the UK. However, despite the adequacy decision, UK-based companies still have to take into account the GDPR and national provisions of the countries they are operating in when transferring data form the EU to the UK.
Data transfers between the EU and the UK under the adequacy decision
The adequacy decision of the EU Commission confirmed an equivalent data protection level under the UK GDPR. This enables UK-based companies to receive data from the EU without having to implement further safeguards. The adequacy decision only includes an exception for data that is transferred for the purpose of UK immigration control or where the UK immigration exemption in the UK DPA 2018 applies. To transfer data covered by the exception from the EU to the UK, other safeguards provided by the GDPR (see Art. 46) must be used by the EU entities transferring the data in order to ensure an adequate level of protection. The most common tool are Standard Contractual Clauses adopted by the EU Commission, into which the sender of the data can enter with the receiving UK-based company.
Limited duration of the adequacy decision
UK-based companies should keep in mind that the adequacy decision of the EU Commission contains a so-called “sunset clause” that limits its duration until 27 June 2025. It can be renewed by the EU Commission, provided that the level of data protection in the UK continues to be adequate.
Moreover, the EU Commission may revise its decision at any time if the UK level of data protection decreases, e.g., caused by a change in UK legislation. Finally, data subjects or EU data protection authorities might challenge the adequacy decision before the European Court of Justice (ECJ), which could lead to the overturning of the decision. In any of these cases, safeguards provided by the GDPR (see Art. 46) must be used by the sender of the data to ensure an equivalent level of protection and to legally transfer data from the EU to UK-based companies.
Further obligations for companies under the GDPR and national provisions
Despite the adequacy decision, UK-based companies still have to take into account the provisions of the GDPR. In particular, an EU representative has to be appointed if your company does not have an establishment within the EU. The representative has to be designated in writing in one of the Member States where the data subjects are located. The appointed representative has to be mandated as one of the (or the only) contact persons for supervisory authorities and data subjects on data processing-related issues.
Moreover, UK companies have to comply with national data protection laws of all EU countries in which they operate. All national data protection laws have to be in compliance with the EU GDPR; however, national laws might specify, modify or complement the provisions of the GDPR. See our free data protection comparison for national deviations from the EU GDPR.