As part of the Trade and Cooperation Agreement concluded on 24 December 2020 between the European Union and the United Kingdom, it has been agreed that the GDPR will remain applicable in the United Kingdom for a maximum period of 6 months, except for the “one-stop-shop” provisions, which are no longer applicable in the United Kingdom since 1 January 2021.
Thus, until 1 July 2021, any transfer of personal data to the UK will be possible without the implementation of additional safeguards.
After this date, transfers from the EEA to the UK will be considered as data transfers to third countries unless the European Commission adopts an adequacy decision to regulate data transfers. The Commission is expected to adopt such a decision quickly if the UK retains data protection legislation similar to the GDPR.
What is the legal framework for the protection of personal data?
Up until July 2021, the GDPR is still applicable and transfer of personal data from the EU to the UK do not require the implementation of additional safeguard (e.g. BCR etc.).
From July 2021, The GDPR will no longer be directly applicable and processing of personal data in the UK will be subject to the UK data protection act only.
As a result, personal data transfers to the UK will require the implementation of additional guarantees as provided for in the GDPR, unless the European Commission adopts an adequacy decision recognising the UK as a country whose legislation provides a level of data protection equivalent to that in the EU.
In this regard, the European Commission is expected to adopt this decision very soon as long as the UK keeps its current data protection legal framework as it is today (unless surveillance/national security law are not considered as compliant with Human Right Convention).
End of “one-stop-shop” for data controllers and processors
Only data controllers and processors who have set up a new main establishment in the EEA will continue to benefit from the one-stop-shop mechanism.
Without a main establishment in the European Economic Area (EEA), controllers or processors located in the UK whose processing activities are still subject to the GDPR can no longer benefit from the one-stop-shop mechanism.
Thus, they are required to appoint a representative in the Union who can be contacted by supervisory authorities and data subjects on any issue related to the processing activities.