Brexit: the GDPR remains applicable in the United Kingdom for 6 months maximum

Following the trade and cooperation agreement between the United Kingdom and the European Commission, published on 25 December 2020, the CNPD updated its guidance on Brexit. This guidance aims to help companies, public bodies and Luxembourg associations that are transferring personal data to the United Kingdom, and which continue such transfers in 2021.

Pursuant to this agreement, the GDPR remains applicable in the United Kingdom for a maximum period of 6 months, allowing personal data to flow freely to the UK. Therefore, no additional step is required for Luxembourg entities until 1st July 2021. More specifically, companies, public bodies and Luxembourg associations that intend to continue to transfer personal data to the United Kingdom, will in principle not need to take additional steps for the specified period[1]. However, Luxembourg entities working with UK organisations may already put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.

However, as  of  1  January  2021,  the  so-called “one-stop-shop  mechanism” (“OSS”) will  no  longer  apply  to  the  UK, therefore  the  UK Information Commissioner’s Office (ICO) will no longer be part of it. The OSS mechanism allows for a cooperation between EU Supervisory Authorities (“SAs”) and provides that the SA in the jurisdiction of the main or single establishment of the controller’s or processor’s takes the role of the lead supervisory authority.

------------------------------------------

[1] Unless the UK proceeds with one of the acts specified in article FINPROV.10A of the Agreement without the agreement of the EU (such as approve new legislation, approve UK BCRs, issue new standard contractual clauses, administrative arrangements, or codes of conduct).

Dernière mise à jour