The United Kingdom is now an “adequate third country” for international data transfers
The European Commission recently adopted its adequacy decision for the United Kingdom. With this decision companies can freely let its data flow to the United Kingdom. In this newsletter, we are taking a closer look at what companies should consider in connection with international data transfers, irrespective of whether the transfer is directed towards an adequate third country or not.
That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.
In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.
Do you have control of your international personal data transfers?
Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.
As a result, companies should as a minimum consider a few questions, namely:
- Which third countries do we transfer personal data to?
- What appropriate safeguards can we apply?
- Have we satisfied our information obligations?
- Do we offer the necessary level of security?
The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.
IUNO’s opinion
The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.
IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.
[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]
That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.
In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.
Do you have control of your international personal data transfers?
Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.
As a result, companies should as a minimum consider a few questions, namely:
- Which third countries do we transfer personal data to?
- What appropriate safeguards can we apply?
- Have we satisfied our information obligations?
- Do we offer the necessary level of security?
The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.
IUNO’s opinion
The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.
IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.
[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing