June 4, 2021
EDPO and the BLCC discussed the impact of Brexit on GDPR obligations for Belgian and Luxembourg companies. Watch below the recording of the webinar (held on 1 June 2021).
The impact of Brexit on GDPR obligations for companies in Belgium or Luxembourg
Our speakers, Jane Murphy (Founder and Chairman of the Board of EDPO) and Romane Geurts (Data Protection Representative at EDPO) addressed burning issues of Brexit and GDPR and clarified the most common misunderstandings regarding the UK Adequacy Decision.
How does Brexit impact GDPR obligations for BeLux companies that do business with the UK?
On 31 January 2020, a Withdrawal Agreement was signed between the UK and the EU. Brexit was scheduled to take effect on 1 January 2021, at the end of a transition period that concerned all data protection matters.
On 24 December 2020, the Trade and Cooperation Agreement (TCA) was signed between the parties. A new transition period of six months started on 1 January 2021, allowing unrestricted data flows between the EU and the UK until the end of June 2021.
Here is a recap of the situation. On 1 January 2021:
- The UK became a third country to the EU
- The UK GDPR came into effect: the main principles, rights and obligations of the EU GDPR were maintained
- The EU GDPR continues to apply, unchanged, in all EEA countries
- Transfers of personal data from the UK to the EU were already recognised by the UK as being safe (i.e. authorised)
- Transfers of personal data from the EU to the UK continue to flow freely during the new transition period, while the EU Commission follows the procedure for the adoption of an Adequacy Decision
Most common misunderstandings about the new transition period:
- As from 1 January 2021: EU companies have to comply with UK GDPR obligations, amongst which the “forgotten” obligation to appoint a UK Representative for non-UK companies
- 1 January to 30 June 2021: the new transition period only applies to transfers of personal data from the EU to the UK while waiting for an Adequacy Decision. All other GDPR obligations apply (including the obligation to appoint EU and UK GDPR Representatives).
If your BeLux company transfers personal data to the UK, this has two main effects:
- BeLux companies that don’t have an establishment in the UK will most likely have to appoint a representative in the UK if they offer products and/or services to individuals in the UK or monitor the behavior of such individuals.
- International transfers of personal data: As part of the new trade agreement, the EU has agreed to delay restrictions on the transfer of personal data from the EU to the UK until 30 June 2021 (known as “the bridge”). Transfers of personal data from the EU to the UK continue to flow freely during the new transition period, while the EU Commission follows the procedure for the adoption of an Adequacy Decision.
The “forgotten” obligation to appoint a UK Representative
What is a UK GDPR Representative?
The UK GDPR Representative is your point of contact for UK data subjects and the UK Data Protection Authority. The Representative must also keep a copy of the Records of Processing Activities of the company it represents.
Do you need to appoint a UK Representative?
You must appoint a Representative in the UK if:
- You do not have an establishment in the UK; and
- You provide goods or services to people in the UK or monitor their behaviour
Examples:
- You are a company in Brussels that exports chocolate to the UK (products/B2C or B2B)
- You are a company in Leuven that sells bike parts to UK companies and manufacturers online (products/B2B)
- You are a charity organisation in Antwerp and you have contributors in the UK (non-profit organisation)
- You are a company in Belgium that provides IT consultancy services to UK start-ups (services/B2B)
- You are a law firm in Luxembourg that provides legal services to UK companies and individuals (services/B2B & B2C)
The Representative must be based in the UK and appointed by a written mandate agreement.
You don’t have to appoint a Representative if:
- You are a public authority; OR
- You have an establishment in the UK; OR
- You carry out processing activities only occasionally, on a small scale and at low risk for individuals
What measures should you take to stay compliant with the EU GDPR if you transfer personal data to the UK?
Do you really know if you’re transferring personal data to the UK? Even if you don’t export any products or services to the UK, you may still be transferring personal data to the UK!
Examples:
- You use a CRM (Customer Relationship Management) or marketing software from the UK
- Your customers can pay via an online payment application whose servers are located in the UK
- You transfer your customers’ orders to your manufacturer located in the UK
The transfer of personal data outside the EU is only allowed under certain conditions.
- Until 30 June 2021: you don’t need to do anything. Personal data can flow freely from the EU to the UK during the transition period
- As from 1 July 2021:
- If the EU Commission adopts an Adequacy Decision: You won’t need to do anything. Personal data will continue to flow freely from the EU to the UK.
- If the Adequacy decision if not adopted by the European Commission, you should identify processing activities that involve transfers of personal data from the EU to the UK and put in place appropriate transfer mechanisms, such as:
- Standard contractual clauses (“SCCs”) issued by the European Commission. A new draft was published 4 June 2021.
- Binding Corporate Rules (“BCRs”), that are only valid for companies that are part of a group
- Other derogations (art. 49.1 of the GDPR)
What is the current situation regarding the adoption of a UK Adequacy Decision?
The procedure to adopt an Adequacy Decision consists of four steps:
- A draft decision proposal by the European Commission
- An opinion issued by the European Data Protection Board (EDPB) (non-binding)
- An approval needed from the Representatives of EU Member States (binding decision)
- The adoption of the decision by the European Commission
“At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.” (EU Commission)
Where do we stand now?
- 19 February 2021: The European Commission issued its drafts on the UK Adequacy Decision, finding the UK to be adequate.
- 16 April 2021: The European Data Protection Board adopted two opinions on the draft decisions. These opinions are not binding. The EDPB pointed out that improvements were necessary to grant an Adequacy Decision to the UK!
- 11 May 2021: The LIBE Committee issued a Resolution evaluating the Commission’s approach to the UK Adequacy Decision and urged it to amend the decision to bring it in line with EU court rulings and the EDPB concerns.
- 20 May 2021: The European Parliament voted in favour of a Resolution to ask the Commission to amend its draft decisions.
- 21 May 2021: The European Parliament voted no to the non-amended version of the UK Adequacy Decision draft by the Commission
We are now waiting to see what will happen before the end of the new transition period.
- If the Adequacy Decision is approved: Personal data can flow freely from the EU to the UK without any other safeguards.
- If the Adequacy Decision isn’t approved: Non-restricted data flows will stop. Your company will be required to take additional safeguards to transfer personal data to the UK.
Most common misunderstanding about the Adequacy Decision:
Will you need a UK representative if the UK gets an Adequacy Decision?
Yes. A UK Adequacy Decision does not affect your obligation to appoint a UK representative if you fall within the conditions of article 27 of the UK GDPR.
Tips to prepare your company for the 30 June deadline
- Identify which processing activities involve personal data transfers from the EU to the UK
- Put alternative safeguards on standby before the end of June to avoid breaching the new rules if the EU does not grant the UK an Adequacy Decision
- Specify in your documentation that transfers to the UK will be made
- Appoint a representative in the UK
- Update your data protection policy to inform data subjects of transfers to the UK and include contact information of your UK representative
Want more information on the topic ? Click on our youtube video for the full webinar !
[Soon]
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!