DATA PROTECTION
Italian Data Protection Authority: Brexit and GDPR, what happens now.
Since January 1st, 2021, the United Kingdom has left the European Union: the so-called "Brexit" process has been completed. What are the consequences in terms of data protection? With regard to data flows to the United Kingdom, which has therefore become a third country, reference must be made to the trade and cooperation agreement signed on 30 December 2020 between the United Kingdom and the European Union. This agreement provides, among other things, that the United Kingdom will continue to apply the European Data Protection Regulation for a further period of up to 6 months (therefore until 30 June 2021). Consequently, in this period any communication of personal data to the United Kingdom can take place according to the same rules valid as of 31 December 2020 and will not be considered a transfer of data to a third country.
In the meantime, the European Commission and the UK government have undertaken, again under the Agreement, to work on mutual adequacy decisions that allow the data flows to continue without interruption, even after the transitional period mentioned above. If not, all the provisions of Chapter V of the GDPR will apply, which require the existence of adequate guarantees (standard contractual clauses, binding corporate rules, administrative agreements, certifications, codes of conduct) to transfer data from the EU. (more precisely from the EEA, the European economic area) to an inadequate third country, or allow some exceptions in the absence of adequate guarantees (explicit consent of the interested party, public interest of an EEA member state, etc.), but only in via residual and according to a very restrictive approach. As regards any disputes or cross-border complaints in the field of data protection with data controllers or processors established in the United Kingdom, from 1 January 2021 the United Kingdom as a third country will no longer apply the "one-stop-shop" mechanism (one stop shop) which governs these disputes between EEA countries. In essence, companies based in the United Kingdom will no longer be able to benefit from the possibility of dealing with a single "lead" authority (ie, the competent authority for the main or single establishment in the EEA) for the various obligations provided for by the European Regulation. In order to continue enjoying the benefits of the one-stop shop, they would have to identify a new main establishment in an EEA Member State.
In any case, from January 1st, 2021, the controllers and processors based in the United Kingdom who are subject to the application of the GDPR pursuant to Article 3(2) are required to designate a "representative" in the EEA pursuant to of article 27 of the GDPR. This representative can be contacted by the supervisory authorities and by the persons concerned for any matter relating to the processing activities in order to guarantee compliance with the GDPR. It is always possible for data subjects who are located within our country - and whose data are processed for the offer of goods and services or for monitoring their behavior by owners established in the United Kingdom - to contact the Guarantor for the protection of their rights.
(Source: Web site garanteprivacy.it – Author and Ownership of the contents: Italian Data Protection Authority).
In the meantime, the European Commission and the UK government have undertaken, again under the Agreement, to work on mutual adequacy decisions that allow the data flows to continue without interruption, even after the transitional period mentioned above. If not, all the provisions of Chapter V of the GDPR will apply, which require the existence of adequate guarantees (standard contractual clauses, binding corporate rules, administrative agreements, certifications, codes of conduct) to transfer data from the EU. (more precisely from the EEA, the European economic area) to an inadequate third country, or allow some exceptions in the absence of adequate guarantees (explicit consent of the interested party, public interest of an EEA member state, etc.), but only in via residual and according to a very restrictive approach. As regards any disputes or cross-border complaints in the field of data protection with data controllers or processors established in the United Kingdom, from 1 January 2021 the United Kingdom as a third country will no longer apply the "one-stop-shop" mechanism (one stop shop) which governs these disputes between EEA countries. In essence, companies based in the United Kingdom will no longer be able to benefit from the possibility of dealing with a single "lead" authority (ie, the competent authority for the main or single establishment in the EEA) for the various obligations provided for by the European Regulation. In order to continue enjoying the benefits of the one-stop shop, they would have to identify a new main establishment in an EEA Member State.
In any case, from January 1st, 2021, the controllers and processors based in the United Kingdom who are subject to the application of the GDPR pursuant to Article 3(2) are required to designate a "representative" in the EEA pursuant to of article 27 of the GDPR. This representative can be contacted by the supervisory authorities and by the persons concerned for any matter relating to the processing activities in order to guarantee compliance with the GDPR. It is always possible for data subjects who are located within our country - and whose data are processed for the offer of goods and services or for monitoring their behavior by owners established in the United Kingdom - to contact the Guarantor for the protection of their rights.
(Source: Web site garanteprivacy.it – Author and Ownership of the contents: Italian Data Protection Authority).
