info@winheller.com+49 (0)69 76 75 77 80Mon. - Fri. from 8am to 8pm, Sat. from 8am to 5pm

Brexit: Contingency measures for data protection in Germany

Feb 25, 19 • Privacy LawNo Comments
Brexit: Contingency measures for data protection in Germany

Adaptation of data protection required after Brexit.

The effective date, on which Britain leaves the EU, is currently expected to be March 29, 2019. After the House of Commons rejected the Brexit deal negotiated with the EU on January 16, 2019 and given that no significant rapprochement has taken place between the EU and Britain since then, a no-deal Brexit seems to be almost unavoidable. For companies having business relations in Britain, the hard Brexit scenario involves a multitude of obstacles relating to data protection issues. These will have to be overcome shortly.

Checking data streams to Britain

First of all, companies should check whether or not personal data are transmitted to Britain. This may concern, among others,

The use of in-house applications (temporarily) stored on IT systems located in Britain would be particularly important in this context.

Britain becomes a third country

The fact that the EU never initiated nor concluded a procedure designed to determine whether or not Britain provides an appropriate level of data protection is particularly problematic. While the “privacy shield” provides sufficient guarantees for secure data transfers to the USA, there is no comparable adequacy resolution for Britain.

As a consequence, Britain will have the status of a third country in terms of data protection (comparable with India or Russia) which means that companies will be required to actively provide guarantees for an adequate level of protection in case of data transfers.

What German companies should do now!

We recommend companies to rely on the legal instruments provided for in Art. 46 ff. GDPR (General Data Protection Regulation):

  • Binding Corporate Rules (BCR);
  • Standard Contractual Clauses (SCC);
  • Exemption clauses for certain specific cases.

Where the transfer of data may be based on any of the above legal instruments, concluding a data processing agreement may additionally be necessary if, for instance, a company based in Germany wishes to use a British service provider.

WINHELLER adapts your privacy statement and records of processing activities

According to the information duties set out in articles 13 and 14 of the GDPR, the controller will have to inform the data subject of the transfer of his/her personal data to a third country and notify which appropriate safeguards it provides for the protection of the subject’s data. The information on a third country transfer to Britain and the safeguards used will also have to be included in the records of processing activities pursuant to Art. 30 of the GDPR.

It cannot be excluded that the supervisory authorities will check individual companies having business relations in Britain for compliance with data protection laws and punish infringements, if any, by imposition of a fine. Therefore, implementing contingency measures in preparation of a no-deal Brexit is no voluntary exercise but an entrepreneurial duty. Our law firm is available to all companies concerned.

Continue reading:
Identify Weaknesses in Data Protection and Profit from Synergy Effects
Data Protection Compliance in Germany in Three Steps

Olga Stepanova

Olga Stepanova

Attorney Olga Stepanova works for Winheller in the areas of IT law, intellectual property and data protection. Her main fields of expertise include trademark law, copyright law, and competition law.

>> show profile

Leave a Comment

Your email address will not be published. Required fields are marked *

WINHELLER Blog via Newsletter

Subscribe to our free newsletter and receive regular updates on German business law by e-mail. (Mandatory fields are marked with *)

German Business Law News (4 times a year)
I would like to subscribe to the selected newsletter and for that purpose give my consent to WINHELLER to process my above mentioned data. I have read the "Information for Data Processing in the Newsletter Subscription". I understand that I can revoke my consent at any time with effect for the future by clicking the unsubscribe button within the newsletter. *