Brexit and GDPR


Brexit will bring numerous political and social effects, but will also impact legal matters. It will also directly affect personal data controllers. If you as a data controller use services of companies that store/ process personal data in the United Kingdom, you should check whether your data processing agreement is ready for Brexit.

Despite Brexit postponement, it is still the most likely scenario – especially considering the results of the European Parliament election. Whether the deal determining the terms of the United Kingdom’s departure from the EU will be made or not is still a big unknown.

In the case of no deal Brexit, the UK will be given the so called “third country” status upon leaving the EU. This means that personal data transfer to the UK will require the application of:

  • Standard or ad hoc data protection clauses in the existing data processing agreements;
  • Binding corporate rules should data transfer occur within a group of associated entities;
  • Codes of conduct (with certification mechanisms);
  • Other special instruments available to public authorities.

Obviously in most cases the easiest solution seems to be amendment of the existing processing agreements with UK entities (as processors) with appropriate additional data protection clauses.

In terms of data transfer in the other direction, from the UK to EEA, based on the communication of the European Data Protection Board, according to the UK government, free data flow will be still possible

Grzegorz Leśniewski – attorney at law