Data Protection Academy » Data Protection News » GDPR and Brexit

The word Brexit is shown on a dark grey background. In the lower right corner is the Robin Data logo

GDPR and Brexit

Even if it currently looks as if the exit of the United Kingdom (UK) from the EU will be postponed further, it makes sense to deal with the focal point of Brexit now. Because with the UK's exit, it will be declared a third country.

With regard to the General Data Protection Regulation (GDPR) this means that personal data can only be transferred under certain conditions. This is because the GDPR always initially assumes that no equivalent level of data protection is guaranteed when classifying countries outside the EU.

In the case of the United Kingdom of Great Britain and Northern Ireland there are two scenarios:

Possible Brexit scenarios

Scenario 1: Deal-Brexit / regulated exit

  • The GDPR continues to apply for the transitional period until the end of 2020.
  • The transitional period may be extended by one year, with a deadline of 01.07.2020.
  • Firstly, there is no impact on cooperation.

Scenario 2: No-Deal-Brexit / unregulated exit

  • The UK becomes a third country within the meaning of the GDPR.
  • Concrete effects on the transfer of personal data.

In what case do entrepreneurs need to prepare for the no deal brexit?

If entrepreneurs answer 'yes' to any of the following questions, measures must be taken to ensure the level of data protection:

  1. Are branches, sales staff or even the headquarters of your company located in the UK?
  2. Do you transfer personal data to service providers or cooperation partners based in the UK?
  3. Are subcontractors of your contract processors located in the UK? Please note that this also applies to subcontractor situations (e.g. computer centres).

External Data Protection Officer

You are welcome to appoint us as your external data protection officer (DPO). We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Discover DSB services

Five steps to prepare for a no-deal Brexit

  1. Determine which processing operations entail a transfer of personal data to the United Kingdom of Great Britain and Northern Ireland
  2. Determine the appropriate data transfer instrument (e.g. standard contractual clauses, binding corporate rules) for your situation.
  3. Convert the selected data transfer instrument so that it is ready for Brexit.
  4. Make a note in your internal documentation that transfers will be made to the UK.
  5. Update your privacy policy to inform individuals accordingly.

Three concrete measures

The independent federal and state data protection supervisory authorities recommend the following measures in particular:

  1. The information sheet on data processing and the privacy statement of a website shall provide information on the transfer of data to the third country and on the appropriate data protection safeguards used.
  2. When a data subject exercises his or her right of access, he or she must also be informed about the transfer of data to the third country and the appropriate data protection safeguards applied.
  3. The list of processing activities shall identify transfers of data to the third country as such and provide the other information required in this context.

Prof. Dr. Andre Döring
Latest posts by Prof. Dr. Andre Döring (see all)

This might interest you too:

Whatsapp Privacy

WhatsApp and privacy

The messenger service WhatsApp is part of the Facebook group to which Instagram also belongs. At the beginning of 2021, Whatsapp announced an adjustment of its privacy policy. What can users do?
Read more

Privacy issues in 2020: Interview with the BfDI office

Learn more about: Data processing by Facebook, Goolge & Co. Fines imposed by regulatory authorities. The impact of brexite on data protection in Europe.
Read more

GDPR ruling video surveillance medical practice

Data protection and video surveillance: How can you apply the BVerwG ruling to your practice?
Read more