The GDPR (General Data Protection Regulation) came into force on May 25th 2018. These regulations focus on ensuring people have more control over their own data, and aim to make everything more transparent with a clearer environment in which to operate.
We have invested a lot of time in ensuring we are compliant with GDPR with a rigorous programme of activity to audit our data, reviewing the key scope and rules before implementing various processes and policies that enable us to continue working with our clients.
Brexit impact statement as at 8th January 2021
In respect of this transfer of data from the UK to the EEA (and vice versa) we have determined that this remains appropriate and legitimate in accordance with the current legislation.
The DP Brexit Regulations amend the retained EU law version of the GDPR (which is renamed the “UK GDPR”) and the Data Protection Act 2018 to create a single UK data protection regime for general processing that applies after Brexit. The amended UK data protection legislation provides that transfers from the UK to the EU can continue without additional protections being put in place, as EU countries will be deemed by the UK to have an adequate level of data protection. Our transfers of data to AWS in the EEA are currently fair and lawful on this basis, subject of course to ongoing review.
In respect of the data following back to the UK from the EEA - on 24 December 2020, the UK and the EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31 December 2020 (implemented by the European Union (Future Relationship) Act 2020)
The final provisions of the agreement include an interim provision (bridging mechanism) for transmission of personal data to the UK from the EEA. This is for four months from the agreement entering into force, extended by two months unless one of the parties objects, or, if earlier, until there is an adequacy finding for the UK.
The agreement provides that personal data transfers from the EU/ EEA to the UK can continue without additional safeguards and such transfers are not considered to be a transfer to a third country under EU law provided that the UK's applicable data protection regime continues to apply. The EU Commission is continuing its assessment of adequacy for the UK and both the UK and EU have noted the intention of the Commission to promptly launch the procedure for adoption of adequacy decisions.
If there is no adequacy finding for the UK during the additional transition period (or any further extension), the most likely mechanism to be used for transfers from the EU / EEA to the UK is the use of Standard Contractual Clauses. We are prepared for this potential eventuality and will confirm any necessary steps should this become necessary.
Whilst InfoTrack cannot give any advice regarding GDPR, we are happy to answer any questions relating to our own GDPR process, simply email us at DPO@infotrack.co.uk.