UK issues guidelines on personal data transfers with organisations in EU

UK issues guidelines on personal data transfers with organisations in EU.   | Photo Credit: Reuters

(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)

The UK government has detailed steps that businesses and organisations should take regarding data protection and data flows with the European Union/European Economic Area after the end of the transition period.

With less than three months before the end of UK’s transition period, the government launched ‘time is running out’ campaign for businesses and people.

“There are new rules for businesses and citizens from 1 January, 2021,” it read.

The government detailed measures for UK businesses and organisations that receive and transfer personal data between organisations abroad, including in the European Economic Area (EEA), which includes the EU and those who operate in the EEA.

Starting January 1, 2021, organisations may need to have Standard Contractual Clauses (SCCs) in place while signing agreements with EU counterparts in order to legally receive personal data from the EU.

SCC is set of terms and conditions that both the sender and receiver sign for every data transfer, which is then approved by an official European regulator.

“The EU’s data adequacy assessment of the UK is underway and we are confident that adequacy decisions can be concluded by the end of the transition period,” it noted.

This would enable free flow of personal data from the EU/EEA to the UK without any further action by organisations.

In case EU has not made adequacy decisions in respect of the UK before the end of transition period, organisations will be required to put in place alternative transfer mechanisms to ensure data can continue to legally flow between the EU/EEA and the UK.

The government said that 11 of the 12 countries deemed adequate by the EU said that they will maintain unrestricted personal data flows with the UK.

There are currently no changes to the way businesses send personal data to the EU, EEA, Gibraltar and other countries deemed adequate by the EU.

In addition to this, EU data protection law will apply to certain ‘legacy’ personal data if the UK has not been granted full adequacy decisions by the end of the transition period. Legacy data includes personal data of individuals outside the UK processed in the UK prior to the end of the transition period, or subsequently on the basis of the Withdrawal Agreement.

The guidelines mentioned that GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018.

This article is closed for comments.
Please Email the Editor

Printable version | Nov 26, 2020 2:05:56 AM |

Next Story