CALL US TODAY: 0203 983 8278

On 31 December 2020 the transition period for the UK’s exit from the EU ended. For the purposes of EU law this means the UK is now a ‘third country’. This has implications across all areas of law and practice. Here we consider what the UK’s third country status means for the flow of personal data between the UK and countries within the European Economic Area (the EEA) where GDPR applies.

No Change – For Now

Unlike many other areas where change came immediately after the end of the transition period, data flow rules remain the same for an initial period of four months (this period can be extended). In this period it’s hoped that the EU will arrive at an ‘adequacy decision’ in respect of the UK’s post Brexit data protection framework.

Reaching An Adequacy Decision

If the EU determines that the UK adequately protects personal data then data should continue to flow as freely as before (subject to all GDPR and other requirements). But if the EU finds UK data protection law ‘inadequate’ then the UK will have to comply with EU GDPR data transfer rules as they apply to third countries.

Using SCCs When No Adequacy Decision Is Reached

If the EU decides that UK data protection law does not meet its adequacy requirements the implications for EEA and UK data controllers and processors will be significant.  There are however existing mechanisms geared toward mitigating the disruption a ‘not adequate’ decision may lead to. These include SCCs – standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to.

Do I Need A Contract For Data Transfers?

GDPR imposes a legal obligation on controllers and processors to formalise their working relationship. A contract also makes sense from a practical and commercial point of view. It demonstrates that controllers and processors are GDPR compliant, it affords greater protection to consumers and ensures clarity about each side’s role in protecting personal data in the course of their business.

In November 2020 the European Commission published proposed new SCCs, giving organsations a year to implement them. Key features of the proposals include:

  • Allowing exporters and importers of data to create a bespoke set of terms relevant to the kind of transfer they are engaged in. The SCCs can relate to one of four scenarios: controller to controller; controller to processor; processor to controller; and processor to processor
  • Docking clause – allowing a third party to agree to the SCCs rather than requiring them to enter into a separate contract
  • New express obligation on non-EEA Controllers relating to breach reporting— Non-EEA controller importers must notify EEA authorities about their data breaches. This applies regardless of whether the GDPR applies to the non-EEA controller or importer of data
  • Adoption of Schrems 2 – the Court of Justice ruling in the Schrems 2 case is reflected in the proposals for new SCCs. Parties must warrant the laws in their country will not prevent them from carrying out their obligations. In addition the SCCs oblige data importers to provide relevant information in the assessment of their country’s laws to comply with their data protection obligations
  • Template for GDPR Art 28 compliance The new SCCs provides a template for use when a controller appoints a processor so that the arrangement between the two meets Article 28 GDOR requirements. However the SCC proposal is only a template. This means that – so long as your processing clause is compliant with Art 28 – you do not need to adopt wholesale the SCC proposed template clause. Article 28(3) lists specific terms or clauses that must be included in the contract. These  include the requirement that processing is limited to the documented instructions of the controller, that there are adequate security measures and appropriate end-of-contract provisions.

Contact Nath Solicitors

We advise a range of businesses on all aspects of data protection law. As we adapt to the post Brexit era it’s crucial that you get expert advice on compliance with GDPR and evolving related legislation. For more information please contact director Shubha Nath at Nath Solicitors on 44 (0) 203 670 5540 or contact the firm online.


    I accept the privacy policy

    To prove you are not a robot, please answer the following question:


    Copyright. Nath Solicitors Limited. Registered in England and Wales. Company Number: 08724944. VAT number: 207490711. Office Located at: 35 Berkeley Square, London, W1J 5BF. Nath Solicitors Limited is authorised and regulated by the Solicitors Regulatory Authority. Registration number 608014. Terms Of Use. Privacy Policy. Cookies Policy. Complaints Procedure.