On 28 June 2021, the European Commission (EC) adopted two adequacy decisions for the United Kingdom: Decision on the adequate protection under Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR Decision); and Decision on the adequate protection under Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (applicable to public authorities).
- All data transfers are covered, irrespective if via automated means or not;
- Both decisions on UK adequacy are subject to a “sunset clause”, meaning that they will automatically expire in 2025; until then, EC will actively monitor the UK legislation to ensure satisfactory adequacy level;
- Personal data transferred for UK immigration control purposes are carved out from the scope of the GDPR Decision.
What to do?
Controllers transferring data in UK might consider:
- Reviewing the legal basis for transferring data to UK; if they concluded standard contractual clauses (SCCs) to support such transfer, the SCCs can be terminated;
- Updating their privacy policies by indicating that data transfers to UK are being made in consideration that UK ensures an adequate level of protection;
- Closely monitoring the status of the GDPR Decision, so as to ensure that such is not retracted or otherwise amended by the European Commission.
Keep an eye on our next newsletter on Greenlight for “EU – Republic of Korea data transfers” ® currently European Commission launched the process towards adoption of a draft of an adequacy decision for transfers towards Republic of Korea.