1. Is there an extension of the transition period?
Yes. Organisations have a grace period for data transfers between the EU and the UK of four months (until 1 May 2021), which will be extended by a further two months (until 30 June 2021) unless either the EU or UK objects.
This means that organisations can continue to transfer personal data between the two countries for the next four to six months without requiring additional measures and performing a data transfer risk assessment (that would otherwise be mandated by Chapter V of the GDPR). The GDPR will continue to apply in the UK throughout the four- to six-month transition period.
If no adequacy decision is reached by the end of the transition period (an adequacy decision would allow personal data to flow from Belgium to the UK without the need for any further safeguards), transfers of personal data to the UK will then need to be conducted in accordance with the requirements of Chapter V of the GDPR.
2. Consider whether you are transferring personal data from Belgium (and other EEA countries) to the UK
Belgian organisations should by now (i) have identified the processing activities that involve personal data transfers from Belgium to the UK (e.g. HR outsourcing, IT or payroll functions of a UK-based organisation; storing data in the UK on a server or in the cloud) and understand the data flows with the UK; (ii) have determined the appropriate data transfer mechanism, such as standard contractual clauses (“SCCs”); binding corporate rules; and codes of conduct and certification mechanisms; and (iii) have implemented the chosen data transfer mechanism.
3. What else can we do to prepare? Review your privacy information and your documentation to identify any items that will need to be updated
In particular, organisations need to (i) review the international transfer provisions in their privacy policy; (ii) make a record of processing activities, and make sure they include details of transfers to the UK; They may also need (iii) to update who to notify in the event of a data breach or an incident notification under the Network Information Systems laws; and (iv) review their existing DPIAs when they involve any data transfers between Belgium and the UK.
4. Appointment of a representative (local point of contact)
If an organisation is based in the UK and does not have a branch, office or other establishment in Belgium, and provides goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA, there is a requirement to have an EU representative.
If the organisation is based in Belgium (or in any other EEA state), and does not have a branch, office or other establishment in the UK, and provides goods or services to individuals in the UK or monitors the behaviour of individuals in the UK, there is a requirement to have a UK representative.
This local point of contact’s role ensures that the organisation complies with the GDPR and/or the UK GDPR. CMS offers UK representative services via its UK offices.
5. Transfer of personal data from the UK to Belgium (and any other EEA countries)
Data transfers will not be restricted. The UK government has confirmed that all EEA countries (including Belgium) will be considered as “adequate” for data transfers (see below).
6. What about your security breach response plan?
If an organisation is processing data (e.g. selling online) for two establishments – one in the UK and one in Belgium (or in any other EEA state) – in the event of a security breach (e.g. customer database breach affecting UK and Belgium customers), it will be investigated by the UK ICO and the Belgian Data Protection Authority. The organisation could be fined by both authorities.
7. GDPR and personal data of UK data subjects
The UK government intends to bring the GDPR directly into UK law (as the “UK GDPR” - United Kingdom General Data Protection Regulation), effective from the end of the transition period, to sit alongside the UK Data Protection Act 2018 (“DPA 2018”). There may be further developments about how the UK deals with particular issues such as UK–EU transfers. For the UK, this will most likely be a significant factor in securing an adequacy decision from the European Commission (see below).
8. Are standard contractual clauses (SCCs) still a valid mechanism for data transfers?
Yes, SCCs can still be used to lawfully transfer personal data outside the EEA. However, organisations wishing to conclude SCCs with a data importer outside the EEA will now have to assess whether and to what extent the laws of that country allow its public authorities to interfere with the exported personal data. If the laws of that country do not ensure adequate protection, the data exporter is required to take appropriate safeguards to mitigate this lack of data protection. However, it is still to be seen what the EU data protection authorities will consider as “appropriate safeguards”.
If it is not possible for personal data to be adequately protected in the data importer’s country, even though SCCs are in place, then the data exporter must suspend those data transfers. If the exporter does not do so, then the relevant supervisory authority may order the transfer to be suspended or stopped (see our Law-Now for more details on the consequences of the Court of Justice of the European Union (“CJEU”) judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems).
9. Designation of the lead supervisory authority (“LSA”) may need to be reviewed
As of 1 January 2021, if a Belgian organisation’s main establishment is in the UK (the place where decisions about the purposes and means of personal data processing are taken), the Information Commissioner's Office may no longer be the LSA. An organisation will have to assess which of the other data protection authorities (“DPAs”) is the most appropriate to be its LSA or leave cross-border processing activities subject to regulation by multiple DPAs.
An organisation will still need to be registered with the ICO for processing activities in the UK.
10. Ensure your data protection officer (“DPO”) or privacy representative is aware of the key changes and they must ensure your company continues to comply
The DPO or privacy expert needs to be aware of the ongoing importance of GDPR compliance, as well as specific implications for any European operations and data flows. He/she should have expert knowledge of both UK data protection law (DPA 2018) and the GDPR, and be “easily accessible” from both locations. Keeping up to date with the latest information and guidance is of paramount importance as the DPO will need to manage potential exposure to sanctions under both the EU and UK regulatory enforcement regimes.
11. Do the Network and Information Systems (“NIS”) rules still apply?
Yes. The NIS rules – covering organisations providing digital services such as online marketplaces, online search engines and cloud services – will continue to apply from the end of the transition period. They derive from EU law but are also set out in UK law (the Network and Information Systems Regulations 2018). If a company is a UK-based digital service provider offering services in the EU, from the end of the transition period it may need to appoint a representative in one of the EU member states in which it offers services. It will need to comply with the local NIS rules in that member state. If it also offers services in the UK, it will also need to continue to comply with the UK rules regarding its UK services.
12. Does the eIDAS (EU) Regulation still apply?
The eIDAS (EU) Regulation rules, covering electronic identification and trust services for electronic transactions, will no longer apply in the UK after the end of the transition period. However, the UK government intends to incorporate the eIDAS rules into UK law from that date.
In practice, if a company is a UK trust service provider, it should assume that it will still need to comply with eIDAS rules. If it offers trust services in the EU, it may also still need to comply with EU eIDAS law in other member states after the end of the transition period. The UK will no longer regulate that aspect of the company’s services.
Back to Brexit
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.