.png?width=178&height=52&name=logo_transparent%20(4).png "PrivacyPerfect_logo.png"){kind=logo}
On Dec 31st, 2020, the clock strikes zero for the Brexit transition period. Unless the EU and UK can strike a deal on privacy within the limited time that is left, the UK will become a third country for the member states of the European Economic Area. This has several consequences in the area of privacy. To help you during this time of uncertainty, we have compiled a checklist with things you need to check before the deadline.
Organisations in the UK that collect and/or receive EEA personal data
▢ Check if you are required to have a representative in the EEA
▢ Mention EEA representative in website privacy statement
▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects
▢ Check whether you have to report your DPO to one or more competent supervisory authorities in the EEA
▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA
▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA
▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When receiving EEA personal data, check if there are transfer mechanisms (such as SCC) in place.
▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything
▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK
Organisations in the EEA that collect and/or receive UK personal data
▢ Check if you are required to have an representative in the UK
▢ Mention UK representative in website privacy statement
▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects
▢ Check whether you have to report your DPO to the ICO
▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA
▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA
▢ The UK considers the EEA adequate countries, so UK personal data can be freely received. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place
▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything
▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK
Organisations with establishments in both the UK and EEA
▢ When your main establishment is in the UK, check whether it can be moved to EEA if you want to continue to benefit from having a single point of contact for privacy in the country of your main establishment (one-stop-shop mechanism)
▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects
▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA
▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA
▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA
▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.
▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything
▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK
Organisations outside the UK or EEA that collect or receive UK and/or EEA personal data
▢ Check if you are required to have an representative in both the UK and EEA, or have to switch their location from one to the other
▢ Mention additional representatives or change in representatives in website privacy statement
▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects
▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA
▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is no longer part of the EEA
▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything
▢ Monitor possible future deviations between the UK and EU privacy rules
SHARE