The EU Commission announced on 28 June 2021 that adequacy decisions for the UK have been approved. We are in the process of updating our guidance to reflect this decision.
If your organisation operates in the EEA, you need to comply with both UK and EU data protection regulations. You may also need to appoint a representative in the EEA.
- The UK is committed to maintaining the high standards of the GDPR and the government has incorporated it into UK law (the UK GDPR) alongside the Data Protection Act 2018.
- You will need to comply with the UK data protection regime for your activities in the UK.
- If you have offices, branches or other establishments in the EEA, your European activities are covered by EU law. You can check which European data protection regulator will be your ‘lead supervisory authority’.
- Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data you collected before the end of 2020 about people who were located outside the UK at the end of 2020 will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’). You may use the latest information you have about where people were living, up to 31 December 2020. Personal data acquired since 01 January that is processed on the basis of the Withdrawal Agreement (for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement) is also subject to the frozen GDPR.
- If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors. Read more in our guidance to European representatives.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.