What does a “hard Brexit” mean from the perspective of personal data protection?

The manner of Great Britain’s departure from the EU still remains unclear, so we need to be prepared for at least two scenarios. Each has different consequences for personal data protection.

The first scenario assumes that Great Britain will leave the EU with a negotiated agreement that includes a transition period until 31 December 2020. During such a transition period, Great Britain would continue to be subject to EU laws and personal data would be transferred between EU member states and the United Kingdom without the need to introduce additional protective measures.

The second scenario is that no agreement is approved and a “hard Brexit” occurs. In such an event, as of 29th March 2019, Great Britain would be treated as a third country within the meaning of the GDPR, so personal data could only be transferred to the UK upon having met the requirements defined in chapter V of the GDPR.

What does hard Brexit mean for organisations which transfer personal data to the United Kingdom as part of their business?

All entities transferring personal data to the United Kingdom will be subject to additional obligations which do not currently apply. Great Britain, although currently considered a country with a high level of personal data protection standards, would not be treated as a country which provides an adequate level of protection after 29th March 2019.

Polish companies transferring personal data to the United Kingdom (e.g. to their customers, business partners or companies within the same capital group), would need to confirm that such a transfer meets at least one of the requirements defined in chapter V of the GDPR. Data transfers to a third country is possible provided that the data subjects receive the appropriate rights and guarantees of protection.

The following are considered to be appropriate guarantees:

  • standard contractual clauses which provide the basis for transferring personal data to entities located in a third country. Such clauses must be approved by the European Commission and cannot be significantly modified when applied in agreements,
  • binding corporate rules (i.e. rules compatible with the GDPR’s requirements); they are applicable if at least one organisational unit within a given entity has its registered office in the EU and the other has its registered office in a third country. In such a situation, binding corporate rules are applicable to all members of such group of companies, so the legal requirements concerning data protection are met,
  • code of conduct approved by the supervisory authority,
  • consent of the data subject.

Such consent should be express which means that, apart from meeting the general requirements of a consent under the GDPR, it should be an informed consent made in the form of an express declaration.

 

How should personal data be legally transferred to Great Britain in the event of a “hard Brexit”?

In order to ensure the legality of data transfers after 29 March 2019, the easiest solution is to act pursuant to a transfer agreement concluded with the entity receiving the data, in the form of standard contractual clauses approved by the European Commission. 
“Hard Brexit” entails other complications for entrepreneurs:
·         changes in the register of processing activities and register of categories of processing activities – each entity transferring data to the United Kingdom will need to record the transfer in the relevant register of processing activities and register of categories of processing activities,
·         changes to the privacy policy – data subjects will need to be notified that their data are transferred to a country which does not provide a sufficient protection level and that the relevant solutions are applied, for example the above mentioned standard contractual clauses,
·         conclusion of transfer agreements.

 

The threat of sanctions

It should also be remembered that, in extreme cases, transferring data to Great Britain may entail the risk that the President of the Personal Data Protection Office may impose a fine on the transferring company up to the amount of:

  • EUR 20 million

or

  • 4% of the company’s total global turnover in the previous accounting year (the higher of the two aforementioned amounts applies).

All of these potential problems can be avoided if the EU and the United Kingdom reach an agreement. Soon, we will see which of the above scenarios will be faced by Polish entrepreneurs.

If you wish to avoid fines and prepare for the possibility of a “hard Brexit”, we encourage you to contact us.

          

Joanna Tomaszewska

Partner, personal data practice leader, intellectual property, TMT

Aleksandra Cisoń – Kurdziel

Attorney at the personal data practice, intellectual property, TMT