Changes in data transfer outside the European Union

June 28, 2021. The European Commission has issued a decision regarding the transfer of personal data from the European Union to the UK. The need to regulate data transfers to the UK arose as a result of the UK’s departure from the EU (Brexit) and brings with it changes for all entities transferring data from Europe to the UK.

Under the provisions of the GDPR, the transfer of personal data outside the EU can only take place in a few cases. Among others, when the European Commission determines that a third country – as a data recipient – provides an adequate level of protection. Such a decision has been issued by the EC concerning the UK. Currently, the UK does not apply the provisions of GDPR. Until now, they have enabled the free flow of data between the countries of the European Economic Area and the UK.

The EEA consists of the twenty-seven EU member states plus Iceland, Liechtenstein, and Norway. While the transfer of data within them is subject to facilitation, this is not the case for countries outside the EU.

Recognition by the European Commission of a particular third country, in this case, the UK, as providing an adequate level of protection for personal data allows such data to be transferred from the EEA just as freely. And the entire process takes place without the need to obtain additional authorizations or implement additional safeguards under Chapter V of the GDPR. Such safeguards include standard contractual clauses, which are required if a third country does not provide an adequate level of protection as confirmed by an EC decision. In practice, this means that personal data will be able to be transferred to the UK without restrictions while respecting other provisions of the GDPR.

In the absence of an EC decision as to the third country, data transfer is based on standard contractual clauses as possible. As of 27 June 2021, new model clauses adapted to the requirements of GDPR became effective. Standard contractual clauses are a set of model (model) provisions of an agreement on the transfer of data between entities. We currently have four types of standard contractual clauses corresponding to different data transfer relationships:

• between controllers,
• from a controller to a processor in a third country,
• between processors,
• from processor to the controller in a third country.

Contracts concluded before the entry into force of the new model clauses based on the previous model may still form the basis for data transfers outside the EEA. However, provided that the processing operations that are the subject of the contract remain unchanged. The second requirement to be met is the use of appropriate safeguards.

Note, however, that the use of the above mechanisms does not exempt the transferor from the obligation to verify the recipient of the data! He must assess whether the entity receiving the data provides a guarantee of adequate – and above all secure – data processing.