For more general information on some of these specific data flow agreements, see the Tech UK briefing. In the case of a non-agreed Brexit, the government advises organisations to develop appropriate contracts to ensure that any transfer of personal data from EU citizens to the UK complies with data protection legislation. The extraterritoriality of the UK data protection framework will continue to apply. This means that the processing of personal data about individuals in the UK is taken into account in the provision of goods and services or monitoring their behaviour with respect to the processing of personal data in the United Kingdom. It is essential that this includes controllers and processors based in the EEA. The UK faces the prospect of being considered a third country when it leaves the EU. As a result, the transfer of personal data by organisations within the EU to other organisations in the UK is subject to strict data transfer rules, in accordance with the EU General Data Protection Regulation (GDPR). EU organisations must ensure that their transfers to Britain are legitimate, which will not be as simple as they are today. The United Kingdom cannot unilaterally guarantee the free flow of personal data from the EEA to the United Kingdom, so these are the most vulnerable data flows. Those who rely on such transmissions must complete one of the authorized data transfer mechanisms in the absence of a matching decision. The most likely candidate that is easiest to organize is standard contractual clauses (CSCs) that should be available through ID. In November 2017, the ESC looked at the future of data protection in the European institutions, pointing out that no one has prepared for these issues in favour of Brexit.

If a Brexit deal is not reached between Britain and the EU, which covers data protection and data transfer agreements, the answer will be no. The Commission should follow an evaluation procedure before adequacy can be granted. Despite the BRITISH government`s requests to start this process, the Commission will not be able to start the process until the UK leaves the EU and becomes a third country. Article 45 of the RGPD sets out what the Commission should take into account in the adequacy review. The aim is to show the EU that the UK is a safe place for data processing, so as not to impose restrictions on data transmission. The European Commission can assess the level of protection of personal data in third countries to determine whether it is about the same level as the EU. If a country „passes“ the rigorous examinations, the Commission can make a decision on adequacy. Personal data is all information that can be used to identify a living person, including names, delivery details, IP addresses or HR data such as salary data. Most organizations use personal data in everyday operations.