Expert tip: Brexit & Data Protection With special regard to the aspect of video surveillance

Great Britain left the EU on 31 December 2020. From a European perspective, many questions now arise: What do companies have to prepare for? Will data transfer to the UK become more complicated? What is the situation regarding data protection and Brexit? This Dallmeier expert tip on the topic of Brexit and data protection will help you keep an overview of the legal requirements and developments.

Is UK now a "data protection third country"? What is this about?

  • Until Brexit, the GDPR applied directly and immediately in the UK.
  • The level of data protection in the EU created by the GDPR should not be circumvented or undermined by
    transferring data abroad and processing it there, where a lower level of data protection than in the EU may apply.
  • According to the GDPR, “abroad” means to a third country. Non-EU member states are so-called third countries.
  • For the UK, however, a transition period of max. six months applies.

Which Data Transfer / Data Processing are affected?

  • Transfer and processing of general and business-related personal data to/in the UK.
  • Transfer and processing of personal data and data relating to persons which arise in the handling and use of video technology
  • Data and video data processing and transfers occur, for example, when:
    • service providers abroad are used as processors (e.g. video service providers in support cases)
    • or when cloud solutions are used (e.g. cloud video service providers), where the servers are usually located abroad.

Which regulation applies from 01.01.2021 according to the free trade agreement?

REGULATION AND IMPORTANT TO KNOW:

  • The UK is not a third country under data protection law for a transitional period of max. 6 months.
  • For the period of this transitional solution, companies do not have to make arrangements to be able to transfer data between the EU and the UK.

Outlook and Tips for Action (regarding data transfer)

SCENARIO 1 (BEST AND SIMPLEST CASE: “ADEQUACY DECISION”)

  • After a transitional period, data transfers to the UK, which would then “officially” be a third country could be possible and compliant with data protection law on the basis of an adequacy decision by the EU Commission (under Art 45 GDPR).
  • An “adequacy decision” would be, roughly speaking, a confirmation that a third country has an adequate level of protection (“safe third country”).
  • Transitional period applies until the European Commission has issued a final adequacy decision for the United Kingdom.
  • Adequacy decision is very likely according to current expert opinion.
  • Companies can then base their data processes in or to the UK on the provisions of Article 45 GDPR.

SCENARIO 2 (“WORST” AND MORE ELABORATE CASE)

  • If no adequacy decision is issued, this will result in an increased need for action on the part of the companies.
  • However, the GDPR also enables data transfers to the UK to be carried out in compliance with data protection law in this case.
  • However, companies would have to become active and implement certain instruments and processes as
  • soon as possible after the expiry of the transitional period as quickly as possible.
  • • Presumably in accordance with the provisions for data transfer to third countries pursuant to Articles 46 et
  • seq. of the GDPR .
  • • E.g. data transfer subject to appropriate safeguards / standard data protection clauses

Important notice regarding data processing

BEYOND THE TOPIC OF DATA TRANSFER, THE FOLLOWING REGULATION APPLIES:

  • In the case of data processing, the GDPR will continue to apply indirectly to UK companies after Brexit, i.e. the UK will not be able to completely abandon the GDPR after Brexit.
  • The GDPR continues to apply to data processing scenarios as described in Article 3(2) of the GDPR (“Territorial Scope”)
    • Offering goods or services to individuals in the Union
    • Monitoring the behaviour of data subjects in the Union

Checklist for you as a decision maker or a responsible person

  • Taking note of this information and making it comprehensible.
  • Continue to monitor scenarios and deadlines and await decisions by the EU Commission.
  • At the same time, monitor the Dallmeier expert tips and newsletters and keep subscribed to them.
  • Initiate the necessary measures at time x.
  • Initiate the following now:
    • Take a look at the processing directory: This should show whether and which data is being
      • transferred to the UK (perspective data transfer EU -> UK)
      • processed by EU data subjects in the UK (perspective: data processing of EU data subjects by UK companies)
    • Check for each processing operation whether the transfer is currently and in the future, depending on the scenario, still GDPR-compliant.
    • Optionally update contracts with data processors or joint controllers.
    • Review documents such as the processing directory, data protection statement and data protection impact assessment and update them if necessary.

19 May 2022: Blog Post Update

Outlook and Tips for Action (regarding data transfer)

  • SCENARIO 1 (BEST AND SIMPLEST CASE: “ADEQUACY DECISION”)

June 2021:
EU Commission adopts adequacy decision on the UK's level of data protection

On 28 June 2021, a few days before the end of the transitional solution, the EU Commission issued an adequacy decision pursuant to Art. 45 GDPR, according to which the UK is classified as a safe third country.

The adequacy decision has an initial term of four years (until June 2025).