EN
Technology

The United Kingdom is now an “adequate third country” for international data transfers

logo
Legal news
calendar 25. August 2021
globus Denmark, Sweden, Norway

The European Commission recently adopted its adequacy decision for the United Kingdom. With this decision companies can freely let its data flow to the United Kingdom. In this newsletter, we are taking a closer look at what companies should consider in connection with international data transfers, irrespective of whether the transfer is directed towards an adequate third country or not.

That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.

In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.

Do you have control of your international personal data transfers?

Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.

As a result, companies should as a minimum consider a few questions, namely:

  • Which third countries do we transfer personal data to?
  • What appropriate safeguards can we apply?
  • Have we satisfied our information obligations?
  • Do we offer the necessary level of security?

The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.

IUNO’s opinion

The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.

IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.

Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]

That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.

In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.

Do you have control of your international personal data transfers?

Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.

As a result, companies should as a minimum consider a few questions, namely:

  • Which third countries do we transfer personal data to?
  • What appropriate safeguards can we apply?
  • Have we satisfied our information obligations?
  • Do we offer the necessary level of security?

The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.

IUNO’s opinion

The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.

IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.

Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

logo
Technology

31 March 2022

24/7 CCTV monitoring at the workplace was a breach of the data protection rules

logo
Technology

24 February 2022

No unconditional right of access under whistleblower schemes

logo
Technology HR-legal Corporate

2 November 2021

Joint whistleblower schemes for multinationals

logo
HR Legal Corporate Technology

20 October 2021

New Act on the protection of whistleblowers on the way

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate