UK GDPR

1. Free flow of data from the EU to the UK

The European Commission has decided that the United Kingdom ensures an adequate level of protection for personal data transferred to the UK under the General Data Protection Regulation (GDPR) (For details see Adequacy Decision of 28.6.2021). In this way, personal data can now flow freely from the European Union to the United Kingdom, where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. In other words, the data protection rules in the UK in many aspects closely mirror the corresponding rules applicable within the EU.

The Adequacy Decisions shall expire four years after their entry into force, and will have to be renewed.

2. Data protection in the UK

Currently, the legal framework on the protection of personal data in the UK consists of:

  • The UK GDPR
  • The DPA 2018 (“Data Protection Act 2018”)

Under UK Law:

  • Personal data should be processed lawfully, fairly and in a transparent way. When the processing is based on consent, a written request for consent must be presented using clear and plain language, the consent should be freely given, the data subject must have the right to withdraw consent at any time.
  • Personal data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing.
  • Personal data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed.
  • Personal data should also be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  • Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance.

Data subjects enjoy certain rights under UK Law:

  • Data subjects should be informed of the main features of the processing of their personal data.
  • Data subjects have the right of access their data, to rectify them or have them rectified, to erase them or have them erased.
  • Data subjects have the right to request restriction of processing, the right to data portability, and the right to object. The latter also includes the right of a data subject to object to the processing of personal data for the purpose of direct marketing.
  • Data subjects have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning them, or similarly affects them significantly.

3. Oversight and enforcement

In the United Kingdom, the oversight and enforcement of compliance with the UK GDPR and the DPA 2018 is carried out by the Information Commissioner. The Information Commissioner is a “Corporation Sole”: a separate legal entity constituted in a single person. The Information Commissioner is supported in her work by an office. The independence of the Commissioner is explicitly established under the UK Law. You can visit the Information Commissioner’s website here.

4. International data transfers

The regime on international transfers from the UK is in substance identical to the rules set out in the GDPR. Transfers of personal data to a third country or international organisation can only take place on the basis of adequacy regulations, or in the absence of adequacy regulations, where the controller or processor has provided appropriate safeguards.

Adequacy Regulations
The Adequacy Regulations are made by the Secretary of State, and they can stipulate that a third country or an international organisation ensures an adequate level of protection of personal data. The Secretary of State must consult the Information Commissioner when proposing to adopt UK adequacy regulations. Once adopted by the Secretary of State, those regulations are laid before Parliament and subject to the “negative resolution” procedure under which both Houses of Parliament can scrutinise the regulations and have the ability to pass a motion annulling the regulations within a 40-day period.

Currently, certain transfers of personal data are treated as if they are based on adequacy regulations. These transfers include transfers to an EEA State, the territory of Gibraltar, a European Union institution, body, office or agency set up by, or on the basis of the EU Treaty, and third countries which were the subject of an EU adequacy decision at the end of the transition period.

Appropriate safeguards
In the absence of Adequacy Regulations, international transfers can take place where the controller or processor has provided appropriate safeguards. Appropriate safeguards include, among other, standard data protection clauses. The standard data protection clauses can be adopted by the Secretary of State or the Information Commissioner.

For more details on international data transfers from the UK, click here.

We comply with the UK GDPR. We have made adjustments to our Data Processing Addendum to reflect our compliance with the UK GDPR. To view our DPA, click here. Should you have any questions concerning UK GDPR, you may contact Privacy.