In the second of our Brexit countdown notes, Carl Spencer-Spear covers some specific examples of when you will need to consider UK vs EU GDPR rules.
We are fast approaching the end of 2020 and, with it, the end of the Brexit transitional period. The Government has consistently maintained that - deal or no deal - the UK will no longer be a member of the European Union (EU) subject to EU rules on 1st January 2021.
Whilst the UK and EU continue to work hard towards reaching agreement on a post-Brexit deal, businesses are being urged to prepare for a no-deal scenario. The UK Gov website has a dedicated section dealing with the impact of Brexit on trading rules - https://www.gov.uk/transition.
In this guidance note, we look at how UK businesses will be affected by the switch to the UK version of the General Data Protection Regulation (GDPR) and explain the circumstances in which businesses may still be subject to the EU’s GDPR.
Both versions of the GDPR will have the same application rules. The two main criteria for determining whether the laws apply to your business are:
1. Location of controller/processor - the laws will apply to a controller or processor which is established in the relevant territory, regardless of whether the processing takes place in that territory or not. So, a UK business will be subject to the UK GDPR by virtue of its establishment being in the UK; and likewise, a business established in the EEA, will be subject to the EU GDPR.
A French-registered company has branch offices in several countries, including a branch in England and one in Scotland. The EU GDPR will apply to the company’s operations in France and other EEA countries. The UK GDPR will apply to the operations of the branches in England and Scotland, as those are ‘establishments’ of the company within the UK.
2. Targeting of activities - the laws also apply to a controller or processor outside of the relevant territory, if the processing activities are related to (a) the offering of goods or services to data subjects within the territory; or (b) the monitoring of the behaviour of data subjects within the territory. This second criterion, in particular, is where a lot of controllers and processors could become subject to both the UK and the EU GDPR.
A UK business has recently expanded its operations, marketing and selling goods to consumers (i.e. individuals) in France and Germany, but it administers this from its UK base and does not have any branch operations in those countries. As well as being subject to the UK GDPR as a result of the ‘location’ criterion, the EU GDPR will apply to its processing of the French and German data subjects’ personal information because it is targeting goods at those individuals.
Generally speaking, the UK GDPR will apply to the UK operation, whilst the EU GDPR will apply to the processing activities of the branches in the EU countries.
If the activities of the UK and EU establishments are kept distinct, so the UK office deals with UK data subjects, and the branches deal with EEA data subjects, each operation will be subject to the law applicable in its own territory. If there is an interaction between the UK and the EU operations, the business would need to consider which mechanism it relies on for the transfer of personal data.
Transfers of UK personal data into the EU will be simpler, as the UK Government has confirmed that the EU member states will be deemed to provide ‘adequate’ protection for personal data. However, in the absence of an adequacy decision from the EU Commission for the UK, an appropriate legal mechanism will be needed in order for branches to share personal data with a UK establishment.
If a business doesn’t have any establishments in the EEA, the first criterion for the application of the EU GDPR will not be met, so you must consider the second, regarding whether the processing activities are related to (a) the offering of goods or services to data subjects within the territory; or (b) the monitoring of the behaviour of data subjects within the territory.
This criterion refers to acting as both a controller and a processor, so it doesn’t exclusively apply to those who control personal data and decide how it is processed or those who directly interact with the data subjects.
Therefore, the questions need to be:
If the EU GDPR does apply, you will be responsible as a business for complying with its requirements (in addition to the UK GDPR) and, importantly, must appoint a representative within the EEA.
This representative must be appointed within one of the member states in which the relevant data subjects are resident. There is an exception to this rule if the processing is only occasional, small scale, and does not include a good deal of ‘special’ category processing (although this exception is interpreted restrictively).
The representative must be authorised, in writing, to act on behalf of the business regarding its EU GDPR compliance, and to deal with any supervisory authorities or data subjects.
The good news is that, for many businesses processing personal data in the UK, it will be business-as-usual as the laws will remain the same. The situation is more complicated for businesses which import personal data from the EEA, or those which have operations within the EEA, as they will have to monitor and maintain compliance with both the UK and EU data protection laws.
At the moment, these laws will be virtually identical, although divergences may develop over time.
The key requirements for those businesses impacted by the EU GDPR will be to ensure it has the appropriate mechanisms in place for the transfer of personal data to the UK and, if applicable, appointing an EU representative.
Of course, we all hope that a deal will be reached before the end of the year. However, it is important to start planning for a no-deal scenario now, so you can maintain your compliance and keep the data flowing come 2021.
This note is provided for general guidance only and should not be relied upon as legal advice. If you’d like advice or information regarding your data protection compliance, please do not hesitate to contact us at firstname.lastname@example.org.