Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 51 | 2019-01-22


Rejection of the Brexit Withdrawal Agreement: What do companies have to consider now?
Dr. Philip Kempermann, LL.M.


The Brexit Withdrawal Agreement negotiated between the European Union and the United Kingdom envisaged that during the United Kingdom's transitional period data protection legislation would have been treated in the same way as with the countries of the European Economic Area. This would have allowed a transfer of personal data from the European Union to the United Kingdom without additional measures to ensure adequate levels of data protection. Subsequently, an adequacy decision on the level of data protection of the United Kingdom was supposed to be issued during the transitional period.

Data protection law consequences of a No-Deal Brexit

However, with the British Parliament's rejection of the Brexit Withdrawal Agreement on 01/15/2019, it is now becoming more and more likely that these transitional arrangements will never be applied. This means that, when the Brexit comes into effect on 03/29/2019, the United Kingdom will become a third country within the meaning of Art. 44-49 GDPR. In order to ensure the transfer of personal data, in addition to the general permissibility of the processing itself, either the consent of the data subjects must be obtained for this transfer, or other measures must be taken in accordance with Art. 44-49 GDPR which ensure an adequate level of data protection. Otherwise, the transfer of personal data from the European Union to the United Kingdom would be unlawful.

This is true even though the United Kingdom has transposed the GDPR into national law and will continue to do so after Brexit becomes effective. In fact, the same data protection legislation applies as within the European Union. However, the European Commission has already clarified on 11/13/2018 that in the case of a No-Deal Brexit, the United Kingdom will still be regarded as an unsafe third country from 03/30/2019 until a decision on adequacy is issued. In order to do achieve this, the regular procedure for reaching an adequacy decision that would qualify the United Kingdom as a secure third country and thus facilitate a transfer without further action must first of all be completed. According to experience so far, such a procedure takes from several months to more than one year.
Need for action for companies

This means that companies who transfer personal data to the United Kingdom need to take action. For example, a transfer occurs if they have subsidiaries or branches that need to work with personal data from the European Union (access to IT systems located within the European Union is already sufficient to be deemed a transfer of personal data). The use of IT providers whose systems are hosted in the UK is also sufficient to trigger the requirement to act. Otherwise, companies risk that these transfers of personal data are impermissible, which may result in fines of up to €20 million or 4% of worldwide annual turnover. No transitional periods apply.

Standard contractual clauses are proven means

The only practicable means to secure the data transfer is the use of the so-called standard contractual clauses. Standard contractual clauses are contractual arrangements between the controller in the European Union and the recipient of the personal data in the unsafe third country, here the United Kingdom, which are to ensure an adequate level of data protection. The European Commission has stated in decisions that this is the case when using these standard contract clauses. They exist for the transfer of personal data from controller to controller as well as from controller to processor.

We recommend that companies concerned act proactively and approach the data-receiving companies in the United Kingdom and urge them to agree to the conclusion of the standard contract clauses. This could be done under the condition precedent of a No-Deal Brexit.

On the other hand, companies that wish to transfer data from the United Kingdom to the European Union can continue to do so, according to currently available information. The UK regulator has already said so in statements. Unfortunately, this does not apply for the reverse direction.


Author


Dr. Philip Kempermann, LL.M. is a partner and a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Anne Heisig
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf




I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de