In the light of the United Kingdom’s already submitted intention to withdraw from the Union pursuant to Article 50 of the Treaty on European Union,  the Directorate- General Justice and Consumers of the European Commission issued a notice to all stakeholders, in order to warn them that, unless another date is established by a ratified agreement,  all Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 0:00 (CET) (“the withdrawal date”) and the United Kingdom will then be considered as a “third country”. This fact entails that, concerning the transfer of personal data, the EU rules for transfer to third parties apply in this case.

More precisely, there will be three options in order to ensure such a transfer after the withdrawal date. First of all, an “adequacy decision” and in second place, the “appropriate safeguards”, which may be provided for by either the already well-known tools, meaning Standard Data Protection Clauses (three sets of model clauses are already adopted by the Commission and Binding Corporate Rules (approved by the competent authority), or by the new tools introduced by the GDPR, in particular by “codes of conduct” and “approved certifications mechanisms”. Last but not least, in the absence of the aforementioned options, a transfer of data may take place on the basis of so-called “derogations” concerning specific cases, mentioned by the GDPR, such as the subject’s consent or the performance of a contract.

The European Commission also reminds that preparing for the withdrawal is not just a matter for EU and national authorities but also for private parties and highlights that a specialized group, set up by the Commission, will further discuss on the topic.

Source of information:

Edited by Youli Siamandoura