Published: 2019-05-20 08:22
Cronkle – av injustice. Kand. Margarita Kozlov and injustice. Kand. Jenny Nelson, Baker McKenzie
Difficult exit from the European Union, as the UK leaves the European Union without a Brexit deal (“no-deal Brexit”), will have significant and immediate consequences for data protection and the General Data Protection Regulation (GDPR). What many companies do not know is that in this case the UK will automatically become the so-called third country to which personal data is not allowed to be transferred freely.
British Parliament It voted to delay the Brexit date to October 31, 2019. However, the UK can leave sooner if it signs an exit agreement with the EU.
In the absence of an exit agreement, or a decision of the European Commission that considers that the UK has an adequate level of protection for the processing of personal data, alternative protection measures are required for the transfer of personal data from the EU to the UK. Examples include standard contractual clauses or binding company regulations.
Many international companies With operations in the UK it has developed binding regulations for companies to regulate their processing of personal data. There is a risk that the Swedish Data Inspectorate will not have time to agree to all of these, if there is a British withdrawal without an agreement. However, both the UK and the EU have stated that there is a strong will to enable the transfer of personal data without taking appropriate safeguards.
Thus, a “no-deal” Brexit means tougher demands On the processing of personal data across borders, GDPR managers for companies should review their data flows to the UK. Before Brexit, businesses operating in the UK should consider the following:
Responsible supervisory authorities
As a general rule, the data controller should have contact only with the supervisory authority of the country, which is called the “responsible supervisory authority”.
Whether the UK withdraws in an orderly fashion or not, organizations must check with the regulator in which country will be the responsible post-Brexit regulator – particularly if the responsible regulator is currently the UK’s ICO (Information Commissioner’s Office).
Organizations that have their responsible supervisory authority in an EU member state but also process personal data about individuals in the UK will need to contact the ICO after Brexit.
2. Personal data accidents
In the event of cross-border personal data incidents involving both the UK and an EU country, a notification must be sent to both the responsible supervisory authority in the EU country and the ICO. If no responsible supervisory authority has been identified, in some cases it may be necessary to inform all relevant supervisory authorities.
We recommend companies review their incident reporting procedures and learn how to submit a potential ICO report.
3. Record treatments
According to the GDPR, organizations are required to keep a record or list of how personal data is processed. The registry should, among other things, contain information about transfers of personal data to third countries, and it will be updated.
When the UK leaves the EU, Swedish companies transferring data to the UK will need to update their records and ensure they contain data on transfers to the UK, along with information on appropriate safeguards being taken.
4. Integrity notifications
In the past year, we have all received a very large number of privacy messages and emails containing information about the processing of personal data. The idea with so-called “privacy notices” and other privacy notices is that they should be live and up-to-date documents.
When the UK is considered a third country, GDPR administrators for companies will need to review their privacy statements, to ensure it contains information about transfers to third countries. Organizations that transfer personal data to the UK, even within their own group, will need to provide updated privacy notices.
GDPR has received a great deal of focus حصلت last year. The focus this year has been on Brexit, and Swedish companies with exposure in the UK are creating new corporate structures in the EU. But it is also important that companies prepare for the measures that need to be taken so that the transfer of personal data to the UK can continue. Uncertainty is high, but businesses need to plan for Brexit.
The writers work with labor law and data protection issues at Baker McKenzie Advokatbyrå and write regularly for Dagens Juridik.