On 28 June 2021, the European Commission formally adopted an ‘adequacy decision’ that permits the continued free flow of personal data from EEA countries to the UK under the EU General Data Protection Regulation (EU GDPR). We summarise what this means for UK employers.
The EU GDPR regime restricts international transfers of personal data outside the EEA on the basis that other countries may not offer a sufficient level of data protection. Restricted transfers are only permitted if the country or territory to which the data is transferred has received an ‘adequacy decision’ from the EU Commission, additional safeguards such as standard contractual clauses or binding corporate rules are put in place, or an exception applies.
Restrictions on international transfers have the potential to interrupt data flows and be disruptive to business. For example, employers that are part of a multinational corporate group with companies in the UK and across the EEA, operating a centralised HR portal, are constantly sending and receiving personal data across borders.
Brexit and the Trade and Cooperation Agreement
Since the post-Brexit transition period ended on 1 January 2021, the UK has been a third country for the purposes of transfers of personal data from the EEA to the UK. The UK-EU Trade and Cooperation Agreement provided a bridging mechanism that allowed the continued free flow of personal data from the EEA to the UK after the transition period for up to 6 months, i.e. up to 30 June 2021, while the EU Commission considered whether to grant the UK an adequacy decision.
Adequacy decision granted
Fortunately, on 28 June 2021, the EU Commission formally granted an adequacy decision for the UK. Accordingly, it remains possible for personal data to be transferred from the EEA to the UK without additional safeguards. The ICO has welcomed this as a positive outcome for UK businesses.
The adequacy decision is valid for an initial four year period, after which it may be renewed if the EU Commission is satisfied that the UK continues to provide adequate protection for personal data.
Transferring personal data from the UK to the EEA
It is also worth briefly noting the position with regard to transfers of personal data in the other direction, i.e. from the UK to the EEA.
The substance of the EU GDPR has been incorporated into our domestic law and continues to apply, albeit with certain changes to take account of Brexit. This is referred to as the ‘UK GDPR’ and is supplemented by the Data Protection Act 2018 (DPA 2018).
In much the same way as the EU GDPR restricts transfers of personal data outside the EEA, the UK GDPR restricts transfers of personal data outside the UK. However, in the lead up to the end of the post-Brexit transition period, the UK Government recognised EEA member states as providing adequate protection for personal data, in order to ensure the continued free flow of personal data from the UK to the EEA without the need for additional safeguards. Data protection documentation such as privacy notices should, however, identify that personal data is being transferred on this basis.
How we can help
Make UK member companies can access further information about the requirements of the UK GDPR and DPA 2018 in the HR & Legal Resources section of our website.
Our pack of essential GDPR template documents provides an accessible set of template documentation to meet the requirements of the UK GDPR in relation to employee data. For further information, and to purchase the documents, click here.