An important decision in the field of economic cooperation between the European Union and the United Kingdom (UK) has been announced: the European Union Commission has adopted a decision on adequacy under the General Data Protection Regulation (GDPR).
In the UK, there is a level of data protection essentially equivalent to the level stipulated in EU law, according to the EU. Thus, the UK is a safe third country under data protection law. Consequences: In the future, personal data can be exchanged between the European Union and the United Kingdom without any additional obstacles. The adequacy decision became necessary due to Great Britain’s exit from the European Union. “This is a good day for companies on both sides of the English Channel. The agreement between the two economic zones ensures security in uncertain times,” explains UIMC Director Dr. Jörn Vosbin on the occasion of the announcement by the European Union Commission of the Convention.
The UK is now a ‘third country’
As of January 1, 2021, the United Kingdom is no longer a member of the European Union. This is why the European Union classifies the country as a third country according to the General Data Protection Regulation (GDPR). This approach is aimed at ensuring that the personal data of citizens of the Union is adequately protected, despite the fact that the processing companies are not subject to the data protection regulations of the GDPR. Ultimately, the European Union wants to ensure an adequate level of data protection. From the point of view of the European Union and the so-called third countries, such agreements are particularly desirable in order not to impede the movement of goods, trade and data, but on the contrary to secure jobs through legally secure frameworks and unimpeded data traffic. An agreement was reached with South Korea in March 2021, but the EU Commission has not yet formally accepted the agreement. Agreements have already been reached with Japan, Switzerland and Canada, among others.
The central elements of suitability decisions are:
- The UK’s data protection regime is still based on the same rules that applied when the UK was still a member of the European Union. The country has fully adopted the principles, rights and obligations of the General Data Protection Regulation in its current legal system.
- For the first time, the decision on suitability contains an expiration clause, which strictly limits its validity: the decision expires four years after its entry into force. An assessment will then be carried out to determine if the UK still has a level of data protection comparable to that of the EU.
Please confirm your email address!
Click the link in the email we just sent you. Also check your spam folder and whitelist us.
More information about the newsletter.
Companies can breathe a sigh of relief
The advantages are clear: data processing companies with data transfers to the UK do not have to do anything else, which also applies to contract processors, service providers such as the cloud, IT service providers or collective in-house shared service centres. If an adequacy decision had not been reached, it would usually have been necessary to conclude the EU’s standard contractual clauses. “Unlike the European Championship match at Wembley, there are only winners due to the European Union’s adequacy decision. In general, however, the transfer of data to third countries should not be so negligent,” warns data protection expert Dr. Jörn Vossbein shows a high degree of seriousness in data processing.