Note 1 → Will the transfers continue after the United Kingdom’s withdrawal ?
If yes, is the transfer necessary? Bear in mind the principle of data minimization, which requires that you only process data that are necessary (and not only useful) to achieve the defined purposes.
If yes, is it possible to anonymise the personal data, so that it is not possible to identify the data subject, directly or indirectly? If so, no further steps are necessary, provided the general principles of the GDPR are complied with.
Note 2 → Contractual clauses:
You use IT services provided by a company based in the UK (such as cloud IT service), which stores the data in data centres located in the UK, or, you are a Luxembourg subsidiary company that sends personal data regarding its employees to the parent company based in the UK. In both cases, the use of standard data protection clauses (article 46 of the GDPR) will allow you to put in place a contractual framework for transferring personal data swiftly.
Note 3 → BCRs:
You may rely on BCRs if you are a company that is part of a multinational group that carries out a large number of international data transfers, or where such rules have already been adopted and are respected by the group, so that no further steps are needed.
Note 4 → Exceptions:
These could be used, for example if a Luxembourg bank transfers personal data to a bank in a third country in order to execute a client’s payment request, as long as the transfer does not occur in the framework of a stable cooperation relationship between the two banks.