Information rights at the end of the transition period – Frequently Asked Questions

You are here:
Estimated reading time: < 1 min
Information Commissioner’s Office, “Data protection at the end of the transition period”, retrieved on 11th January 2021, licensed under the Open Government Licence.

In detail

  • What effect does the trade deal have on data protection?

    As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

    If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

    For more information, read Data Protection at the end of the transition period and our guidance on International Transfers.

    The ICO have also produced an interactive tool (external link) on using standard contractual clauses for transfers into the UK to help you.

    We will keep our guidance under review and update it as necessary to reflect any developments.

  • Do we need a European representative?

    You may need to appoint an EU representative if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, Data protection at the end of the transition period – European representatives.

  • Does the GDPR still apply?

    The EU GDPR is an EU Regulation and it no longer applies to the UK. However, if you operate inside the UK, you will need to comply with UK data protection law. The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR.

    The EU GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.

    The EU GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the UK GDPR, if the trade deal bridge ends without adequacy.

    The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.

    For more information on how this affects your data protection obligations and what you need to do, visit our Data Protection at the end of the transition period.

  • What is the UK data protection law now the Brexit transition period has ended?

    The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.

  • What role will the ICO have?

    The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.

    The UK government will continue to work towards maintaining close working relationships between the ICO and other countries’ supervisory authorities once the transition period ends.

  • Is the ICO’s GDPR guidance still relevant?

    Yes. The principles of the EU GDPR have been incorporated in UK Data Protection law, so you should continue to use our existing guidance. We have updated our guidance to reflect that the Brexit transition period has ended. We will continue to keep our guidance under review and update it where necessary.

  • Can we still transfer data to and from Europe?

    Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU has agreed to delay transfer restrictions from the EEA to the UK for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

    Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK.

    If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

    For more information, read Data Protection at the end of the transition period and our guidance on international transfers.

    The ICO have also produced an interactive tool on using standard contractual clauses for transfers into the UK  (external link) to help you.

  • What does Adequacy mean?

    The EU GDPR applies to controllers and processors (with some exceptions) in the European Economic Area (EEA). The UK is now a third country. Third countries are states that fall outside of the EU GDPR zone (EU member states plus Norway, Liechtenstein and Iceland). The EU GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies. Please see our guidance on International Transfers for more information.

    The European Commission has the power to determine whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.

    The trade deal agreed between the UK and the EU means that the UK has a four to six month bridge where data can continue to flow whilst adequacy negotiations continue.

    The UK Government are seeking adequacy decisions from the European Commission under both the General Data Protection Regulation and Law Enforcement Directive which, if secured by the end of the bridge, will allow the free flow of personal data to the UK from the EU to continue uninterrupted. We will update our guidance to reflect the outcome of this. In the meantime, there are steps that you can take to ensure that personal data can continue to flow if the bridge ends without adequacy decisions. For more information, read our guidance on International Transfers, and our interactive tool (external link) on using standard contractual clauses for transfers into the UK.

    Transfers of data from the UK to the EEA are permitted. The UK Government has recognised EU Commission adequacy decisions made before the end of the transition period. This allows restricted transfers to continue to be made from the UK to most organisations, countries, territories or sectors covered by an EU adequacy decision. You can find more detail in our guidance on international data transfers at the end of the transition period.

    We recommend that you regularly check our data protection at the end of the transition period page for updates and new resources.

  • What do I need to do with data collected before the end of the transition period?

    The data protection provisions set out in the Withdrawal Agreement (data protection provisions set out in Part Three, Title VII, Article 71(1) signed by the UK and the EU in December 2019) apply unless full adequacy decisions are adopted by the EU.

    This means organisations in the UK will need to comply with EU data protection law (as it stands on 31 December 2020) when processing personal data that was gathered before the end of the transition period.

    Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data processed before 01 January 2021 is subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’).

    Data collected after 31 December 2020 will need to comply with the UK GDPR alongside the DPA 2018. Therefore, it is important that organisations know when personal data was collected and where the data subject lived on 31 December 2020 to ensure that their processing complies with the appropriate legislation. Our End of Transition Interactive Tool will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies. If the EU Commission gives the UK an ‘adequacy decision’ then these requirements will cease to apply

    The government have published guidance on the personal data provisions in the Withdrawal Agreement.

  • Do we need to appoint a UK representative?

    If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, then you need to consider whether you must appoint a UK representative.  They need to be in post when the transition period for leaving the EU ends.  For more information, read Data protection at the end of the transition period – UK representatives.

  • How do I choose a UK Representative?

    If you are based outside of the UK and you do not have a branch, office or other establishment in the UK and you either:

    • offer goods or services to individuals in the UK; or
    • monitor the behaviour of individuals in the UK,

    then you will need to comply with the UK GDPR from 1 January 2021. The UK GDPR will require you to appoint a representative in the UK.

    Your representative may be an individual, or a company or organisation established in the UK, and must be able to represent you regarding your obligations under the UK GDPR (e.g. a law firm, consultancy or private ). In practice the easiest way to appoint a representative may be under a simple service contract.

    You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to communicate with the ICO and with data subjects.

    For more information, read our guidance on UK Representatives.

  • Does PECR still apply?

    Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply at the end of the transition period.

    The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed.

    You can find more information on current PECR rules  in our Guide to PECR (external link).

  • Does NIS still apply?

    Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They will continue to apply at the end of the transition period. You can find more information in our Guide to NIS (external link).

    If you are a UK-based digital service provider offering services in the EU, from the end of the transition period you may need to appoint a representative in one of the EU member states in which you offer services. You will need to comply with the local NIS rules in that member state. If you also offer services in the UK, you will also need to continue to comply with the UK rules regarding your UK services.

  • Does eIDAS still apply?

    The eIDAS regulation covers electronic ID and trust services. It is an EU regulation and will no longer apply in the UK after the end of the transition period. However, the government intends to incorporate the eIDAS rules as they apply to trust services, but not electronic identification, into UK law from that date. In practice, if you are a UK trust service provider, you should assume that you will still need to comply with eIDAS rules.

    For more information, see our Guide to eIDAS (external link).

    If you offer trust services in the EU, you may also still need to comply with EU eIDAS law in other member states after the end of the transition period. The UK will no longer regulate that aspect of your services. But we intend to continue working closely with EU supervisory authorities.

  • Does FOIA still apply?

    Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.

    For more information, see our Guide to freedom of information (external link).

  • Do the EIR still apply?

    Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law, but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).

    For more information, see our Guide to the EIR (external link).

  • Will ICO be producing more guidance?

    The core data protection principles, obligations and rights will remain the same. So, at this stage, we don’t need to produce an entirely new range of guidance. However, some specific areas – chiefly in cross-border supervision and enforcement, and international transfers – are specifically affected. So we have recently produced the following guidance:

    ICO will also keep our Guide to Data Protection – and in particular our guidance on international transfers – under regular review, and update it to reflect the latest developments.

    ICO will also regularly update these FAQs to reflect the queries we receive.

    In the meantime, given that we expect UK data protection law to remain aligned with the GDPR, our Guide to Data Protection remains a good source of advice and guidance on how to comply with UK and EU data protection rules both now and after the transition period.

No questions matching current filter

Thank you for reading.

Was this article helpful?
Dislike 0
Views: 130