28/02/2024Personal Data Transfers and the Standard Contractual Clauses
What does a UK business (‘data exporter’) wishing to transfer personal data to another business… Read more
08/07/2021
Whilst the General Data Protection Regulation (GDPR) applies across the European Union (EU) and accordingly has no special rules for the transfer of personal data between EU member states, it does have special requirements for the transfer of the personal data of EU data subjects outside of the EU. Since the UK left the EU at the end of 2020, those special requirements now also affect UK data transfers.
In this briefing note, we summarise the key considerations.
Transferring Personal Data from the EU to the UK
The EU’s special requirements for data transfers are intended to apply when the EU is concerned that the laws of the country to which the personal data is to be transferred do not provide a comparable level of protection to that of the GDPR.
Accordingly, where the European Commission (EC) has determined that the laws of another country do provide adequate protection then no special requirements are needed. The EC has previously made a number of such adequacy decisions, including for Canada and Australia, and has now also made an adequacy decision for the UK.
This means that, in principle, personal data may be transferred from the EU to the UK in the same manner as it may be transferred between EU member states, although a UK data controller processing the personal data of EU data subjects and not also established in the EU now needs to appoint an EU Representative under Article 27 of the GDPR.
Transferring Personal Data from the UK to the EU
The UK has adopted the GDPR wholesale into English law merging it into the Data Protection Act 2018 (subject to any logically necessary changes) to create what is called ‘UK GDPR’ and has also, through Adequacy Regulations, effectively made adequacy decisions for both the EU and for the same countries as those on the list of the EC’s adequacy decisions. This means that, in principle, personal data may be transferred from the UK to the EU in the same manner as it was transferred when the UK was an EU member state. However, an EU data controller processing the personal data of UK data subjects and not also established in the UK now needs to appoint an UK Representative under the UK GDPR.
Transferring Personal Data from the UK to Other Countries with ‘Adequacy’ Decisions
As noted above, where it has been determined that the laws of another country provide protection for personal data comparable to that of the UK GDPR then no special requirements are needed to transfer personal data from the UK to that country and the UK’s list of such countries is the same as the EU’s.
Transferring Personal Data from the UK to Countries without ‘Adequacy’ Decisions
For personal data transfers from the UK to a country without an ‘adequacy’ decision, with the US being the obvious example, the UK GDPR follows the GDPR in requiring the use of one of the lawful data transfer mechanisms unless one of the exemptions applies. The most widely used mechanism is the so-called Standard Contractual Clauses (SCCs), although binding corporate rules (BCRs) can also be used by groups of companies, whilst probably the most common exemption is where the consent of the data subject is obtained.
The EC previously published two sets of SCCs: one for a transfer of personal data from a data controller in the EU to a data controller outside the EU and one for a transfer of personal data from a data controller in the EU to a data processor outside the EU. The principle, in each case, is that the party outside the EU is to be contractually bound to protect the personal data shared with it in a manner which seeks to broadly reflect the EU’s data protection regime and to make up for the perceived inadequacies in the local laws.
The UK has continued with the same controller-controller and controller-processor SCCs which have been published by the UK’s Information Commissioner’s Office (ICO) with a few ‘UK tweaks’ so, on the face of it, there is no substantive change in the use of SCC’s for data transfers from the UK to a country without an adequacy decision, and indeed the ICO has confirmed that UK data controllers may continue to rely upon such SCCs which they have previously put in place at least for the time being.
However, it is important to be aware of two issues at an EU level which are also relevant to the UK:
Transfers of Personal Data from the UK by Non-UK Data Controllers
Finally, where a data controller outside of the UK is processing the personal data of UK data subjects, it should be appreciated that the extra-territorial scope of the UK GDPR applies to that data controller in the same way as the extra-territorial scope of the GDPR, which means that not only must that data controller comply with the UK GDPR in the same way as a UK data controller, but if that data controller also processes the personal data of EU data subjects then the data controller must comply with both the UK GDPR and the GDPR regimes and will, for example, need to appoint both a UK Representative under the UK GDPR and an EU Representative under Article 27 of the GDPR.
Disclaimer: We at Memery Crystal (and our parent company RBG Holdings plc) support and encourage free/independent thinking in relation to issues which are sometimes considered to be controversial subject matters. However, the views and opinions of the authors of articles published on our website(s) do not necessarily reflect the opinions, views, practices and policies of either Memery Crystal or RBG Holdings plc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
What does a UK business (‘data exporter’) wishing to transfer personal data to another business… Read more
Memery Crystal’s Corporate team has started 2024 with a bang, advising on three equity… Read more
In this five-part audio series in association with The Gambling Law Review and Lexology, Partner and renowned gambling… Read more
In this five-part audio series in association with The Gambling Law Review and Lexology, Partner and renowned gambling… Read more