Click to open contact form.
Your Global Partners in the Business of Innovation

UK GDPR to Enter into Force as the Transition Period for EU Data Transfers is Extended

Publications / Dec 31, 2020

Article written by Haim Ravia, Dotan Hammer and Adi Shoval

With the United Kingdom’s imminent exit from the EU, the UK privacy regulation, also known as the “UK GDPR”, will enter into force within the United Kingdom on January 1, 2021, instead of the EU GDPR. Meanwhile, the UK and EU have managed to agree on a comprehensive Trade and Cooperation agreement.

Among numerous other matters, the agreement extends the transition period for EU data transfers starting January 1, 2021, and until the EU Commission adopts an adequacy decision concerning the UK, but for no more than six months (which can also be further reduced to four months if the UK or the EU so wish). During this period, the UK may not change its data protection laws without first obtaining the EU’s approval. If it does, the extended transition period will terminate.

The agreement, therefore, allows for the continued flow of personal data from the EU to the UK for the duration of the extended transition period. Upon the termination of the transition period, transfers of personal data from the EU to the UK will be considered as international transfers under the EU GDPR and will be subject to one of the EU GDPR’s prescribed data transfer mechanisms.

The UK and EU agreement will apply from January 1, 2021, on a provisional basis until the EU Parliament gives its consent to the agreement and its entry into full force.

From the UK perspective, the UK GDPR adopts the EU Commission’s current list of countries recognized as providing an adequate level of protection of personal data and to whom EU personal data can therefore be transferred without additional restrictions. This means that transfers of personal data from the UK to these countries, including Israel, remain valid.

In addition, similar to the EU GDPR’s requirement for the appointment of an EU representative, the UK GDPR requires organizations that are not established in the UK but process personal data of UK individuals, to appoint a UK representative. This requirement is effective starting January 1, 2021.

CLICK HERE to read the UK and EU trade and cooperation agreement.

INNOVATION HIGHLIGHTS