Effective from 01.01.2021 the United Kingdom (UK) became a third country to the European Union (EU). Since then the data transfer from the EU to the UK should be governed under the specific rules of Chapter V, art. 44 to art. 50 of the General Data Protection Regulation 2016/679 of the European Parliament and of the Council (GDPR).
But by the power of the Trade and Cooperation Agreement a period of 4+2 months is provided (until 30.04.2021 and which period shall be extended by two further months until 30.06.2021 unless one of the Parties objects or the European Commission adopts adequacy decision in relation to the UK) until the end of which the transfer of data from the EU to the UK will not be treated as a third country transfer. The so-called ‘bridging clause’ ensures the undisturbed continuity of data flows between the EEA and the UK, with no need for companies to put in place any transfer tool under the GDPR. This solution is conditional on the commitment by the UK not to change the data protection regime currently in place. In essence, this means that the UK must continue to apply the data protection rules, based on EU law, that were applicable during the transition period. If, during the specified period, the United Kingdom amends the applicable data protection regime or exercises the designated powers without the agreement of the Union, the specified period shall end on the date on which the powers are exercised or the amendment comes into force.
After the specified period has come to an end and in case the European Commission does not adopt a final decision on the adequate protection of personal data by the United Kingdom, the relations concerning personal data transfer to the UK must be governed by the special rules provided for export of personal data to countries non-bounded by the GDPR.
In this manner, on 19.02.2021 and on the grounds of article 45 of GDPR the European Commission presented a Draft decision on the adequate protection of personal data by the United Kingdom which is already sent to the European Data Protection Board (EDPB) for opinion which must be followed by a green light from a committee composed of representatives of the EU Member States. Once this procedure is completed, the Commission may adopt the adequacy decision. In case the procedure is successfully finalized before the ending of the specified period the data transfer to the UK may continue without specific authorisation by the supervisory authority such as the Bulgarian Commission for Personal Data Protection.
In case the adequacy decision is not adopted in the specified period, the data transfer to the UK may take place if the controller or the processor bounded by the GDPR provides appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Such appropriate safeguards may be the Standard Contractual Clauses (SCC) adopted by the European Commission. The Commission have already adopted such SCC which are applicable only in relations between EU controller to non-EU or EEA controller and in relations between EU controller to non-EU or EEA processor. They may be applied in such relations after taking into consideration the guidelines in the EU Court’s judgement on the case C‑311/18 known as Schrems II. In relation to it on December 2020 the Commission presented a draft decision on new Standard Contractual Clauses which (when finally adopted) shall have wider scope and can be used also in the personal data transfer relations processor-to-processor and processor-to-controller.
The SCC (or another appropriate safeguard as provided in the GDPR) should become an integral part of the contract between parties established in the EU, on the one side, and parties established in the UK, on the other side, if, by the end of the specified period, an adequacy decision in favor of the UK is not adopted. Inclusion of the SCC must be preceded by an assessment of the UK’s legislation ability to assure sufficient guarantees for the data subject’s rights. Moreover, an inability of the data importer established in the UK to comply with these minimal requirements for data protection is a “deal-breaker” – the data transfer from the EU must be suspended until compliance is restored and in case of impossibility – even if it is based on regulatory changes – the data exporter is entitled to terminate not only the data transfer but also the contract on the behalf of which the data is being transferred.