Overview
As a result of leaving the European Union (EU), the UK is now considered to be a 'third country' for EU data protection purposes. However, the Trade and Cooperation Agreement provides provisions for the continued transfer of personal data from the European Economic Area (EEA) to the UK.
The UK GDPR
Now that the transition period has ended, the UK is a 'third country' for the purposes of the EU’s General Data Protection Regulation (EU GDPR). The existing text of the EU GDPR is now part of UK law and has therefore become the UK GDPR; this continues to be supported by the Data Protection Act 2018 and together they form UK data protection law. These two pieces of legislation have each been amended in places to reflect the fact that the UK is no longer a member of the EU and that EU bodies and courts no longer have a role in shaping UK law. If you have any templates or guidance which refer to the EU or EEA and to the GDPR you should amend them to reflect these changes.
Transfers of personal data from the UK to the EU
One of the most significant amendments for our University is the decision to make all EEA member states (the EEA comprises the EU 27 member states + Norway, Liechtenstein and Iceland) ‘adequate’ countries for the purposes of transferring personal data to an EEA country from the UK. This means that the UK has determined that EEA states offer a similar level of protection for personal data as in the UK and therefore personal data can continue to be shared with EEA based partners without the need for further safeguards, such as specific contractual clauses, having to be in place first.
Transfers of personal data from the EU to the UK and the ‘bridging period’
The UK is now a 'third country' under EU GDPR and whilst the Trade and Cooperation agreement reached between the EU and the UK does not include data protection, the political declaration that accompanied it does include a commitment by both parties to maintaining high levels of data protection. As part of this the EU has agreed to reach its own ‘adequacy’ decision regarding the UK within 6 months. If the UK gains this status, flows of personal data from an EEA based entity to the UK will also be able to continue without the need for additional safeguards. In the intervening period whilst the adequacy assessment process is underway a 6 month ‘bridging period’ has been introduced (January 2021 to June 2021). During this time, ending no later than June 2021, personal data can continue to be transferred from the EU to the UK as before, effectively extending the transition period for the purposes of data protection. Should the adequacy decision from the EU be unfavourable, EEA based partners will need to put additional safeguards in place before they can share any new personal data with the University. It would therefore be useful for those dealing with European partners to maintain a dialogue with them about this issue so that if required the additional safeguards can be put in place to avoid disruption to services or research.
Further information is available about personal data and international transfers.
For specific queries, contact information.governance@manchester.ac.uk