Home / Insight / Brexit / TMC incl. data protection

TMC incl. data protection

Legal area

Legal aspect


Data protection

The transfer of personal data to recipients from non-EU countries requires supplementary verifications / measures in order to ensure an adequate level of data protection.

Unless special arrangements are made between the EU and the UK, the UK will initially be deemed an "unsafe third country" from a data protection viewpoint after Brexit.

These requirements apply both on the basis of the current EU Data Protection Directive (and the corresponding national laws) and the EU General Data Protection Regulation which comes into force on 25 May 2018.

In this case, the UK could

  • unilaterally recognise the EU data protection regulations (and possibly also the EU General Data Protection Regulation);
  • initiate a "decision on adequacy" by the EU Commission.

The following action could be considered:

  • Recognition of an adequate level of data protection on the strength of a "decision on adequacy" by the EU Commission (currently in place for eleven countries and for certified US recipients under the EU-US Privacy Shield).
  • Binding Corporate Rules for data transfer within companies, with the approval of the regulatory authorities.
  • Conclusion of agreements with recipients on the basis of EU standard contractual clauses (judicial review likely).

If no such high-level initiatives are adopted, an adequate level of data protection must be assured for data transfers to the UK on a case-by-case basis, if necessary through contractual agreements with the respective recipient.It is safe to assume that the UK is aware of the importance of international data transfers and the possible consequences of Brexit in relation to data protection law. In particular, the country’s data protection authority (the ICO) will contribute its expertise during the exit negotiations.