The European Commission has decided that the United Kingdom ensures an adequate level of protection for personal data transferred to the UK under the General Data Protection Regulation (GDPR) (For details see Adequacy Decision of 28.6.2021). In this way, personal data can now flow freely from the European Union to the United Kingdom, where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. In other words, the data protection rules in the UK in many aspects closely mirror the corresponding rules applicable within the EU.
The Adequacy Decisions shall expire four years after their entry into force, and will have to be renewed.
Currently, the legal framework on the protection of personal data in the UK consists of:
Under UK Law:
Data subjects enjoy certain rights under UK Law:
In the United Kingdom, the oversight and enforcement of compliance with the UK GDPR and the DPA 2018 is carried out by the Information Commissioner. The Information Commissioner is a “Corporation Sole”: a separate legal entity constituted in a single person. The Information Commissioner is supported in her work by an office. The independence of the Commissioner is explicitly established under the UK Law. You can visit the Information Commissioner’s website here.
The regime on international transfers from the UK is in substance identical to the rules set out in the GDPR. Transfers of personal data to a third country or international organisation can only take place on the basis of adequacy regulations, or in the absence of adequacy regulations, where the controller or processor has provided appropriate safeguards.
The Adequacy Regulations are made by the Secretary of State, and they can stipulate that a third country or an international organisation ensures an adequate level of protection of personal data. The Secretary of State must consult the Information Commissioner when proposing to adopt UK adequacy regulations. Once adopted by the Secretary of State, those regulations are laid before Parliament and subject to the “negative resolution” procedure under which both Houses of Parliament can scrutinise the regulations and have the ability to pass a motion annulling the regulations within a 40-day period.
Currently, certain transfers of personal data are treated as if they are based on adequacy regulations. These transfers include transfers to an EEA State, the territory of Gibraltar, a European Union institution, body, office or agency set up by, or on the basis of the EU Treaty, and third countries which were the subject of an EU adequacy decision at the end of the transition period.
In the absence of Adequacy Regulations, international transfers can take place where the controller or processor has provided appropriate safeguards. Appropriate safeguards include, among other, standard data protection clauses. The standard data protection clauses can be adopted by the Secretary of State or the Information Commissioner.
For more details on international data transfers from the UK, click here.
We comply with the UK GDPR. We have made adjustments to our Data Processing Addendum to reflect our compliance with the UK GDPR. To view our DPA, click here. Should you have any questions concerning UK GDPR, you may contact privacy at efrontlearning dot com.