At it’s Seventh Plenary Session, the European Data Protection Board (EDPB) adopted a note on data transfers under the GDPR in the event of a n0-deal Brexit.
The EDPB, who work towards a consistent approach to data protection application across Europe (replacing the old Article 29 Working Party) and is made up of representatives from the national data protection authorities (e.g. the ICO in the UK), said in their note:
Data flows from the EEA to UK
In the absence of an agreement between the EU and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. As a consequence, the transfer of personal data from the EEA to the UK will have to be based on one of the following instruments: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms and the specific transfer instruments available to public authorities. In the absence of Standard Data Protection Clauses or other alternative appropriate safeguards, derogations can be used under certain conditions.
Data flows from UK to the EEA
As regards data transfers from the UK to the EEA, according to the UK Government, the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.
So, what this means in practice is, if you’re a UK business that processes personal data sent from the EEA then you can expect, in a no-deal Brexit scenario, your existing processing agreements to change to include model clauses or some other legally approved means of ensuring compliance. If you need help with his, get in touch to find out how we can help.