EN
Technology

The United Kingdom is now an “adequate third country” for international data transfers

logo
Legal news
calendar 25. August 2021
globus Denmark, Sweden, Norway

The European Commission recently adopted its adequacy decision for the United Kingdom. With this decision companies can freely let its data flow to the United Kingdom. In this newsletter, we are taking a closer look at what companies should consider in connection with international data transfers, irrespective of whether the transfer is directed towards an adequate third country or not.

That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.

In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.

Do you have control of your international personal data transfers?

Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.

As a result, companies should as a minimum consider a few questions, namely:

  • Which third countries do we transfer personal data to?
  • What appropriate safeguards can we apply?
  • Have we satisfied our information obligations?
  • Do we offer the necessary level of security?

The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.

IUNO’s opinion

The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.

IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.

Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]

That the United Kingdom now is considered as a third country offering an adequate level of protection means that personal data can flow freely across the border. When the European Commission decides if a third country offers an adequate level of protection under the applicable data protection rules, it does not only include an analysis of that country’s data protection rules, but also an assessment of that country’s rule of law etc.

In relation to the adequacy decision adopted for the United Kingdom, the European Commission emphasized that the United Kingdom has implemented the same principles, rights and obligations which, among other things, follow from the General Data Protection Regulation. The European Commission regularly reviews its adequacy decisions, which in any case expires after four years, unless a renewal takes place.

Do you have control of your international personal data transfers?

Although the United Kingdom now is considered to be an “adequate third country”, most of the other third countries are either only considered “partly secure” or “unsecure”. Companies should therefore have clear procedures in place to ensure that international personal data transfers always are in accordance with the applicable rules, no matter what third country the data is being transferred to.

As a result, companies should as a minimum consider a few questions, namely:

  • Which third countries do we transfer personal data to?
  • What appropriate safeguards can we apply?
  • Have we satisfied our information obligations?
  • Do we offer the necessary level of security?

The applicable data protection rules include several appropriate safeguards, but the choice of the right safeguard will depend on several circumstances, including whether the data transfer is done by a large group or several companies with joint financial activities. Moreover, special situations may also result in the personal data transfer not requiring any appropriate safeguard.

IUNO’s opinion

The adequacy decision for the United Kingdom is good news for most companies, but also shows just how high standards the European Commission has before considering that a third country is “adequate”. However, other third countries are on the way to join the list of adequate third countries and the European Commission has already initiated the formal procedure for adopting an adequacy decision for South Korea. At the same time, discussions are ongoing with the United States to find an alternative to the former Privacy Shield-mechanism.

IUNO recommends that companies have fixed procedures in place to ensure that international data transfers always comply with the applicable data protection rules. In this connection, it is namely important to remember to apply the appropriate transfer mechanisms for non-adequate third countries and to remember the duty to inform data subjects. Companies using the most common transfer mechanism, the standard contractual clauses, must also be aware of the new standard contractual clauses that were adopted on 4 June 2021 and that it is also a requirement to ensure that the data importer is actually able to live up to the obligations under the standard contractual clauses.

Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The European Commission’s adequacy decision pursuant to the General Data Protection Regulation of 28 June 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

9 September 2021

Failure to comply with retention periods resulted in EUR 1.75 million fine

logo
Technology

1 September 2021

Can companies “snoop” in former employees’ e-mail accounts?

logo
HR Legal Technology

29 August 2021

GDPR did not prevent company from sharing employee data with trade union

logo
HR Legal Technology

10 June 2021

Can companies ask to see their employees’ corona passport?

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate