On September 10, 2019, the French data protection authority (the “CNIL”) updated its existing set of questions and answers (“FAQs”) on the impact of a no-deal Brexit on data transfers from the EU to the UK and how controllers should prepare.
As matters stand, the United Kingdom is due to leave the European Union at 00.00 am CET on November 1, 2019, and from that point will be considered a third country for data transfer purposes under the EU General Data Protection Regulation (“GDPR”). As such, post-Brexit, a data transfer mechanism will be required to transfer personal data from the EU to the UK.
The FAQs recommend that entities transferring personal data to a controller or a processor in the post-Brexit UK should take five steps to ensure GDPR compliance:
- Identify the processing activities that involve a transfer of personal data to the UK.
- Determine the appropriate transfer mechanism to put in place for these activities.
- Implement the data transfer mechanism so that it applies and is effective on November 1, 2019.
- Update internal documents to include references to data transfers to the UK.
- Where applicable, update relevant privacy notices to indicate data transfers outside the EU and the EEA where there is a transfer to the UK.
The FAQs also discuss the data transfer mechanisms that are valid under the GDPR (e.g., standard contractual clauses, ad-hoc contractual clauses, binding corporate rules, codes of conduct and certification mechanism). The CNIL emphasizes that the chosen mechanism, whichever it may, must be effective by November 1, 2019. If controllers rely on a permitted derogation under the GDPR, that must be strictly in accordance with the criteria set forth in Article 49 of the GDPR.