The EU Commission announced on 28 June 2021 that adequacy decisions for the UK have been approved. We are in the process of updating our guidance to reflect this decision.
Does this section apply to us?
This section applies if you are a UK-based controller or processor currently carrying out cross-border processing of personal data, across member state borders, but still within the EEA.
You do not need to read this section if you are based only in the UK and your processing of personal data is unlikely to affect individuals in any other EU or EEA state.
What do we need to do?
- Consider whether any of your processing of personal data involves cross-border processing under the EU GDPR, and if so who your lead supervisory authority is.
- If you will continue to carry out cross-border processing, and your current lead authority is the ICO, review the EDPB guidance, and consider which other EU and EEA supervisory authority will become lead authority at the end of the transition period (if any).
- If you no longer carry out cross-border processing, but your processing will continue to be within the scope of the EU GDPR (for example, if you are ‘targeting’ individuals in the EEA), this could be a key change for your business and you may want to consider its impact.
What is the regulatory impact on cross-border processing?
If you are established in the UK and carry out cross-border processing (by carrying out processing that affects individuals in one or more EEA states), there are changes to which data protection authorities you need to deal with.
One of four scenarios may apply to you.
Scenario 1
- You are currently cross-border processing in relation to two establishments: one in the UK and one in another EU or EEA state.
- Your processing is not likely to substantially affect individuals in a EU or EEA state.
Now the UK has left the EU:
your processing is no longer cross-border processing. You are no longer processing personal data in the context of the activities of establishments in two or more EU or EEA states.
The One-Stop-Shop and lead authority arrangements no longer apply to your processing. You will have to deal with both the ICO and the supervisory authority in the other EU or EEA state where you are established.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a distributor in Paris for French sales; and
- sells only in the UK and France.
Now the UK has left the EU:
The fashion retailer is no longer cross-border processing. It will have only a single EEA establishment (the Paris distributor), which distributes to customers only in France.
If there is a security breach of the retailer’s customer database affecting UK and French customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR. The retailer could be fined by both.
Scenario 2
- You are processing for two establishments: one in the UK and one in another EU or EEA state.
- Your processing in the context of the activities of both the UK and EEA establishment is likely to substantially affect individuals in other EU or EEA states.
Now the UK has left the EU:
Processing in the context of your UK establishment is no longer cross-border processing.
Processing in the context of your EEA establishment, which substantially affects data subjects in other EU or EEA states, will continue to be cross-border processing. Its local supervisory authority will be the lead supervisory authority in the EEA in respect of that cross-border processing.
You will have to deal with both the ICO and the EEA lead supervisory authority.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a European distribution centre in Paris; and
- sells online to the UK, France, Italy and Spain.
Now the UK has left the EU:
The fashion retailer is no longer cross-border processing in the context of the London office.
The fashion retailer is cross-border processing in the context of the Paris distributor, for French, Italian and Spanish customer data.
The French supervisory authority is the lead authority as the fashion retailer has an establishment only in France.
If there is a security breach of the retailer’s customer database affecting French, Italian and Spanish customers, it will be investigated by the ICO under UK data protection law and the French supervisory authority under the EU GDPR. The retailer could be fined by both.
Scenario 3
- You are processing in relation to three or more establishments: one in the UK and two or more in other EU or EEA states.
- Your processing may or may not substantially affect individuals in any other EU or EEA state.
Now the UK has left the EU:
The UK establishment is no longer cross-border processing.
Your EU or EEA establishments will still be cross-border processing. You will have to deal with both the ICO and your EEA lead supervisory authority. You should review the EDPB guidance to work out which is your lead authority.
Example
A fashion retailer:
- has a head office in London, which handles all its customer data;
- has a global distribution centre in Paris and a global marketing office in Milan; and
- sells online across the world.
Now the UK has left the EU:
The fashion retailer is no longer cross-border processing in the context of its London office.
The fashion retailer continues cross-border processing in the context of its Paris and Milan offices. Its lead authority would be decided based on EDPB guidance. If the largest customer base was in Italy, the Italian supervisory authority would probably be the lead authority.
If there is a security breach of the retailer’s customer database, it will be investigated by the ICO under UK data protection law and the Italian supervisory authority (if it is the lead authority) under the EU GDPR. The retailer could be fined by both.
Scenario 4
- You are processing with an establishment only in the UK, and no establishment in any other EU or EEA state.
- Your processing is likely to substantially affect individuals in one or more other EU or EEA state.
Now the UK has left the EU: you are not carrying out cross-border processing under the EU GDPR as you have no office, branch or other establishment in the EEA.
You still need to comply with the EU GDPR to the extent that your processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EEA.
You may have to deal with the ICO and the supervisory authorities in all EU and EEA states where individuals are located if you process their personal data in connection with those activities.
Example
A fashion retailer:
- has a head office in the UK that handles all customer data; and
- markets and sells online across Europe.
Now the UK has left the EU:
The fashion retailer is no longer cross-border processing as it has no office, branch or other establishment in the EEA.
All the fashion retailer’s processing of personal data will be subject to the UK GDPR and the oversight of the ICO.
All the fashion retailer’s marketing activities targeting EEA customers will also be subject to the EU GDPR.
If there is a security breach of the fashion retailer’s customer database, it will be investigated by the ICO under UK data protection law. It may also be investigated by any of the EEA authorities if it has affected customers in their member state. In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.
This could be a key change for your business, and you may want to consider how to minimise any risks. For example, you should consider what resources may be needed to deal with enquiries from various EU and EEA supervisory authorities.
The ICO may no longer be part of the One-Stop-Shop. But we will still co-operate and collaborate with European supervisory authorities, as we did before GDPR and the One-Stop-Shop system, regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states.