The European Commission announced a draft UK adequacy decision on February 19, 2021. A move that will allow data to flow freely between the EU and the UK. This is welcome news to many organizations that depend on a regular transfer of personal data to conduct their business. Data flows between the European Economic Area and the UK will remain safeguarded under the EU-UK Trade and Cooperation Agreement until June 30, 2021.
In this blog, we’ll answer your top 5 most frequently asked questions about the UK adequacy decision.
Watch the webinar: UK Adequacy Decision: What You Need to Know
1. How does this decision affect larger Group entities that will have a Group DPO?
Group DPO can still act as a DPO both from the perspective of the EU and UK GDPR. It is worth noting that if the larger Group entities also consider appointing UK or EU representative function (for instances where the organization is not based in UK/EU respectively), these functions cannot be held by the same persons that are already in the DPO position.
2. If the UK transfers data to the US before June 30, 2021 and there’s a positive adequacy decision, should we transfer as a third country using SCCs, BCRs, etc.?
For UK transfers to the US before June 30, 2021 (and even after the positive UK adequacy decision), the third-country mechanisms are necessary to protect the personal data flows – SCCs, BCRs, explicit consent, and (where applicable) other derogations under GDPR Art. 49 need to be considered and documented for such transfers.
3. Does this mean the same person cannot be the DPO/EU Rep for an organization that is both in the UK and EU?
That is exactly correct. The regulatory authorities have highlighted that the DPO and EU/UK Rep functions cannot be held by the same person due to potential conflict of interest – the DPO role being inherently independent whereas the EU/UK Rep role being directly subject to the business decisions.
4. Can you share more about Assess Effectiveness?
This is a third step from the 6-step process proposed by the EDPB draft Supplementary Measures Recommendations. This step requires businesses to assess whether the Article 46 GDPR transfer tool they are relying on is effective in light of all circumstances of the transfer.
The EDPB emphasizes that a transfer tool or mechanism under Article 46 of the GDPR may not be able to ensure ongoing adequate protection for personal data in and of itself. Therefore, an assessment must be conducted once an Article 46 tool has been selected in order to determine where and how such essentially equivalent protection can be guaranteed. The responsibility for this assessment largely resides with the data exporter.
The assessment should primarily focus on the laws, regulations, and practices of the recipient jurisdiction, and particularly whether there are any risks that may affect the safeguards of the Article 46 transfer tool, such as unrestricted access to personal data by public authorities. Where appropriate, the EDPB recommends that the data importer may be able to assist in conducting the assessment.
You can read more about the EDPB’s recommendations for assessing effectiveness, here.
5. Can we still use the Privacy Shield? I thought this was made invalid due to the Schrems II decision.
Yes, the Privacy Shield as a certification scheme for US businesses is still active and the certification remains valid. The Schrems II ruling caused it to be invalid as a standalone transfer mechanism for personal data. However, the Privacy Shield still contains helpful elements for protecting personal data: the self-assessment of privacy obligations alongside an independent dispute resolution mechanism. For those reasons, US businesses may consider retaining the Privacy Shield certification and leveraging it as evidence of the business employing organizational measures to protect personal data transfers while relying on other transfer mechanisms under the GDPR – such as Standard Contractual Clauses (SCCs).
UK Adequacy Decision Next Steps
The European Data Protection Board (EDPB) will review the draft adequacy decision and provide their opinion on the findings. It will then be up for approval by a committee of EU Member States before the final decision is adopted. Adequacy arrangements will be subject to a reassessment every four years, to ensure that UK rules do not jeopardize EU citizens’ privacy.
Find out how OneTrust can help your organization adapt to the Schrems II decision and keep your privacy program aligned with GDPR requirements.
Further UK Adequacy reading:
- OneTrust Blog: The EU Commission Issues UK Adequacy Decision
- EU Commission Press Release: Data protection: European Commission launches process on personal data flows to UK
Further Information on Data Transfers Impacted by the Schrems II Ruling:
- OneTrust Blog: How Will the Schrems II Decision Impact Your Privacy Program?
- DataGuidance Portal: Schrems II
Next steps on UK Adequacy: