Data Protection

Introduction

On 01 January 2021, the United Kingdom (UK) ceased to be a member state of the European Union (EU). One significant implication hereof is that, fundamentally, the application of EU legislation and regulation also stopped. One these is the EU General Data Protection Regulation (EU GDPR), the data protection regulatory framework of the EU. This article will briefly set out the similarities and differences between the EU GDPR and UK GDPR provisions that are most applicable to private companies. Also, the concept of the EU (GDPR) representative (as defined and regulated in both the EU and UK GDPRs) will be succinctly outlined with the view of providing companies with practical pointers.

UK GDPR

The UK data protection regulation is set out in the UK GDPR along with the UK Data Protection Act of 2018. The UK GDPR came into effect on 01 January 2021, is founded on the EU GDPR (which also applied in the UK before Brexit) and has some differences to the EU GDPR “to make it work more effectively in a UK context”[1].

Adequacy Decision, Similarities & Differences between UK GDPR & EU GDPR

On 28 June 2021 the European Commission (EC) adopted an adequacy decision for the transfer of personal data to the UK (valid for an initial period of four years until 27 June 2025), which indicates that the EC deems the UK’s legislation and public institutions to provide adequate levels of protection for personal data that is transferred from the EU to the UK[2]. According to the Commission’s Implementing Decision of 28 June 2021 on the adequacy, by the UK, in the protection of personal data by the UK (“EC Implementing Decision”), the following similarities and differences exist between the EU GDPR and the UK GDPR (as set out in the table below). The items in the table reflect those that would be most relevant for and between companies[3]:

UK GDPR and EU GDPR Similarities

1. Definitions of “personal data”, “data subject” & “processing”;
2. No application to the processing of personal data by:
3. an individual in the course of a purely personal / household activity,
4. a competent authority for purposes of the prevention, investigation, detection or prosecution of criminal offences or in the execution of criminal penalties (“law enforcement purposes”)
5. Territorial scope
6. Activities of controllers & processors in the UK;
7. Processing of personal data of data subjects who are in the UK and where the processing relates to offers of goods & services or monitoring the data subjects’ behaviour
8. Principles of lawfulness, fairness & transparency and the grounds for lawful processing are guaranteed
9. Processing of special categories of data is, in principle, prohibited, unless a specific exception applies
10. General safeguards for certain processing operations of special categories of data
11. Compulsory designation of data protection officer where the controllers’ or processors’ core activities consist of processing special categories of data on a large scale
12. Processing of personal data for a specific purpose and for subsequent use only insofar as is compatible with purpose of processing
13. Principles of data minimisation, accuracy and storage limitation
14. Data security through the principle of integrity & confidentiality
15. Principle of transparency
16. Substantive rights of data subjects are enforceable
17. International data transfer: the UK provisions relating to the protection of personal data that is transferred outside of the UK (and the EU) is “in substance identical to the rules set out in Chapter V of Regulation (EU) 2016/679″[4]:
a) on the basis of adequacy regulations (equivalent to EU adequacy decisions),
b) where there are no adequacy regulations, then appropriate safeguards by the controller or processor,
c) in the absence of the aforesaid, transfers must be based on derogations.
18. Appropriate technical and organisational measures (TOMs):
a) This requirement falling under the principle of accountability (EU Regulation 2016/679) has been retained in the UK GDPR “without material change”.
b) The same applies to the principles of data protection by design and data protection by default as well as codes of conduct and certification.
19. Potentially significant monetary penalties & administrative fines for transgressions:
a) Fines of £8,700,000 – £17,500,000, or
b) 4% of worldwide annual turnover.

Only in UK GDPR

1. Processing of sensitive data for reasons of substantial public interest:
a) Exhaustive list of purposes that can be considered as of substantial public interest – each with specific additional conditions
b) Processing here subject to detailed requirements
c) Suitable & specific safeguards required (considering also nature of processing & level of risk for the rights & freedoms of data subjects)
d) Additional requirements & responsibility for controllers (e.g. appropriate policy document, record of processing)
2. Restrictions to individual rights guided by:
a) Principle of specificity &
b) Principle of conditionality

The EU Representative: EU GDPR Still Applies to UK Companies

Even though there are many similarities between the EU GDPR and the UK GDPR, UK companies will require to, among others, designate an EU representative[5]. According to UK Information Commissioner’s Office, controllers and processors operating in the UK,

    • who have no business presence in the European Economic Area (EEA[6]) (in the form of branches, offices or other establishments), however,
    • offer goods or services to individuals in the EEA or
    • monitor the behaviour of individuals in the EEA,

must

    • comply with EU GDPR in respect of such processing, and
    • appoint an EU representative based in the EEA (and specifically, in the country, where some of the individuals’ personal data that is being processed, is located)[7].

The EU representative

1. Must be duly appointed in writing and authorised to act on behalf of the said UK controller or processor in respect of EU GDPR compliance;

2. Is appointed to also deal with any EU supervisory authorities or EU data subjects;

3. May be a company, individual or an organisation established in the EEA;

4. Must be able to represent the UK controller or processor in respect of its EU GDPR obligations[8].

5. Must be mentioned in the UK controller or processor’s company privacy policy[9].

Closing Remarks

The adequacy decision that was granted in favour of the UK, by the European Commission, on 28 June 2021, makes the transfer and processing of personal data of the residents in these jurisdictions much easier. While there are also many similarities between the EU GDPR and the UK GDPR, the requisite for data controllers and processors to appoint GDPR representatives should not be undermined. We are your certified and trusted EU GDPR representative – at your service.

More details on:

AdobeStock_110140726_72

EU GDPR Services

GDPR-related Services is a Business Imperative

AdobeStock_210711724_72

United Kingdom

a strategic venue for innovative thinking

Notes

[1] ico.org.uk/…/about-the-dpa-2018
[2] ec.europa.eu/…/decision_on_the_adequate_protection…_en.pdf
[3] Para’s 2.2 – 2.3 of the EC Implementing Decision
[4] Para 2.5.7 (75) EC Implementing Decision
[5] secureprivacy.ai/blog/what-is-uk-gdpr
[6] The EEA comprises the 27 EU member states plus Iceland, Liechtenstein & Norway.
[7] ico.org.uk/…/european-representatives
[8] ico.org.uk/…/european-representatives
[9] iapp.org/news/a/gdpr-representatives-in-the-eu-and-the-uk-after-brexit

Comments are closed.

Close Search Window