As of 1 January 2021, the UK will no longer apply the General Data Protection Regulation to the processing of personal data, therefore a separate legal framework regarding data protection will be in force in the UK. If your company operates in the EU and transfers personal data to the UK, as well as the same apples to all transfers of personal data between stakeholders subject to GDPR, that kind of transfer of personal data will constitute a transfer of personal data to a third country and therefore will be subject to the provisions of Chapter 5 of the GDPR.

In accordance with the General Data Protection Regulation, all transfers of data to the UK would be subject to particular requirements

In accordance with Article 46 GDPR, in the absence of an adequacy decision applicable for now to the UK provided in Article 45 GDPR, such transfers will require appropriate safeguards such as: 

  • standard data protection clauses; 
  • binding corporate rules;
  • codes of conduct;
  • enforceable data subject rights; 
  • effective legal remedies for data subjects; 
  • supplementary measures;
  • etc.

It may still be possible to transfer personal data to the UK based on a derogation provided in Article 49 GDPR.

However, Article 49 GDPR has an exceptional nature and the derogations of the respective article shall be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive, which may not be the case involving business activities. 

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;


(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;


(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;


(d) the transfer is necessary for important reasons of public interest;


(e) the transfer is necessary for the establishment, exercise or defence of legal claims;


(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;


(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

If you are transferring/plan to transfer personal data to the UK:

Controllers and/or processors will also need to comply with other obligations deriving from the GDPR, in particular on the need to update the records of processing and privacy notices to mention transfers to the UK.

To update your records of processing, privacy notices, DPIA, corporate binding rules and other data protection documentation after Brexit, do not hesitate to contact EU LAW FIRM data protection lawyers -

EU LAW FIRM lawyers also prepare data protection document templates for companies that you can use to ensure the compliance with data protection regulatory framework.

You also can contact us via Whatsapp, Telegram, Viber +37126742086