Legal News | 26.03.21
EUROPEAN COMMISSION PUBLISHES DRAFT ADEQUACY DECISIONS FOR PERSONAL DATA TRANSFERS FROM THE EU TO THE UK
Under the EU GDPR, transfer of personal data from EEA countries to countries that are not members of the EU is permitted only in certain circumstances. These circumstances include where there is a similar level of data protection or where there are appropriate safeguards or codes of conduct in place. As the UK is no longer a member of the EU, the European Commission has been preparing adequacy decisions to determine if the UK has an adequate level of data protection to allow for personal data transfers from the EU into the UK.
On 19 February, the European Commission published two draft adequacy decisions for personal data transfers from the EU to the UK thereby starting the process for their adoption. The Commission stated that after a careful assessment they have determined that the UK ensures an “essentially equivalent” level of protection to that guaranteed under the EU GDPR. Once the adoption is complete, the adequacy decisions will be valid for four years, after which they will be reviewed. The adequacy decisions provide for mechanisms for monitoring and reviewing UK data protection law to make sure it remains equivalent to the EU standards.
The Information Commissioner commented that the publication of the adequacy decisions is “an important milestone in securing the continued frictionless data transfers from the EU to the UK”. The draft adequacy decisions are currently with the European Data Protection Board for review, after which the Commission will put forth the decisions for approval by the EU member states. Until the adequacy decisions are approved, organisations continue to be able to receive personal data from the EU under the temporary “bridging mechanism”, agreed in the EU-UK Trade and Cooperation Agreement.
If you would like more specific advice on how these changes could affect your business please get in touch with your usual contact or email: email@example.com.