Every business holding personal data from clients or potential clients must comply with data protection regulations. Below, we explain the current legal landscape in relation to the international data transfer that Spanish resident companies, with UK resident clients or potential clients should be aware of.
Brexit prompted the UK and the European Union (EU) to enter the Trade and Cooperation Agreement (24.12.2020) establishing a six-month period (until 30th of June 2021) during which both parties were able to carry on transferring personal data without any restriction; in the same way as they did before Brexit.
The General Data Protection Regulation 2016/679 (GDPR) regulates the protection of personal data within the EU, sets a mechanism called «adequacy decision», to asses «adequacy» to those countries that, despite not being European members, have in place regulatory standards that, under the Commission's opinion, guarantee adequate protection to data protection and, consequently, allows for the transfer of personal data from the EU to those countries without the need of additional safeguards.
On 28th June 2021, the European Commission adopted an adequacy decision for the UK, allowing the free movement of data for a four-year period from the adoption of the adequacy decision, i.e. until 28th June 2025 and afterwards the EU will start a new process of evaluation of the standards of UK data protection regulation and accordingly, conclude whether or not to renew the «adequacy status» of the UK.
Currently, the UK GDPR regulates data protection in the UK, which content is the same as GDPR, the only difference being the replacement of the referrals that the GDPR makes to EU data protection supervisory bodies with data protection officers in the UK.
Laura Gallego Herráez.
Associate Spanish Lawyer and business developer at Scornik Gerstein LLP.
Email: laura.gallego@scornik.com
Read more about Corporate & Commercial.