The effective date, on which Britain leaves the EU, is currently expected to be March 29, 2019. After the House of Commons rejected the Brexit deal negotiated with the EU on January 16, 2019 and given that no significant rapprochement has taken place between the EU and Britain since then, a no-deal Brexit seems to be almost unavoidable. For companies having business relations in Britain, the hard Brexit scenario involves a multitude of obstacles relating to data protection issues. These will have to be overcome shortly.
Checking data streams to Britain
First of all, companies should check whether or not personal data are transmitted to Britain. This may concern, among others,
- employee data,
- supplier data, or
- customer data.
The use of in-house applications (temporarily) stored on IT systems located in Britain would be particularly important in this context.
Britain becomes a third country
The fact that the EU never initiated nor concluded a procedure designed to determine whether or not Britain provides an appropriate level of data protection is particularly problematic. While the “privacy shield” provides sufficient guarantees for secure data transfers to the USA, there is no comparable adequacy resolution for Britain.
As a consequence, Britain will have the status of a third country in terms of data protection (comparable with India or Russia) which means that companies will be required to actively provide guarantees for an adequate level of protection in case of data transfers.
What German companies should do now!
We recommend companies to rely on the legal instruments provided for in Art. 46 ff. GDPR (General Data Protection Regulation):
- Binding Corporate Rules (BCR);
- Standard Contractual Clauses (SCC);
- Exemption clauses for certain specific cases.
Where the transfer of data may be based on any of the above legal instruments, concluding a data processing agreement may additionally be necessary if, for instance, a company based in Germany wishes to use a British service provider.
WINHELLER adapts your privacy statement and records of processing activities
According to the information duties set out in articles 13 and 14 of the GDPR, the controller will have to inform the data subject of the transfer of his/her personal data to a third country and notify which appropriate safeguards it provides for the protection of the subject’s data. The information on a third country transfer to Britain and the safeguards used will also have to be included in the records of processing activities pursuant to Art. 30 of the GDPR.
It cannot be excluded that the supervisory authorities will check individual companies having business relations in Britain for compliance with data protection laws and punish infringements, if any, by imposition of a fine. Therefore, implementing contingency measures in preparation of a no-deal Brexit is no voluntary exercise but an entrepreneurial duty. Our law firm is available to all companies concerned.