International Reach of the UK Data Protection Act 2018 & GDPR

In addition to being applicable to organisations in the EEA, the GDPR has an international reach, and the same can be said for the UK’s Data Protection Act 2018 (DPA).

Regardless of the location or place of establishment, it is possible that either piece of legislation applies to the activities of an organisation.

For example, the DPA applies where personal data processed by an organisation (wherever located) relates to data subjects in the UK, and the GDPR would apply where an organisation offers goods or services to individuals in the EEA (such as a UK-based e-commerce business selling goods to consumers in the EEA). Having to comply with two different legal regimes sounds potentially onerous but the good news is that, in many respects, the legal requirements are aligned between the GDPR and the DPA (the GDPR being retained in UK domestic law as “UK GDPR” following Brexit).

In certain cases (for example, where the processing activities relating to the personal data of EEA individuals are extensive), an organisation may have to appoint an EEA-based representative who will act as a point of contact with supervisory authorities and individuals in connection with data protection matters. This requirement applies to UK organisations and other organisations outside the EEA.

Likewise, organisations based outside the UK may be required to appoint a UK representative, for example, if they offer goods or services to persons in the UK.

International data transfers

Data protection legislation imposes conditions on data transfers to organisations located outside the UK. The organisation transferring personal data should ensure that the transfer meets relevant legal requirements.

There are many grounds which can be relied on for international transfers, including:

  • where the transfer is covered by an adequacy decision (for example, a transfer from the UK to the EEA);
  • the transferring organisation and the recipient sign standard contractual clauses; or
  • the transfer is within a group structure and covered by binding corporate rules.

In addition, organisations processing personal data on behalf of others should be aware of any restrictions placed on international data transfers within the relevant data processor agreement. The agreement may even prohibit such transfers so it is always best to check.

Brexit and data flows from the EEA to the UK

The UK is a third (non-EEA) country for the purposes of GDPR. However, the UK is currently recognised by the European Union as a territory which provides adequate protection for which means that personal data can flow freely from the EEA to the UK.

How can we help?

Our data protection lawyers have extensive knowledge of and experience advising on the international aspects of data protection compliance. We routinely assist our UK-based clients in relation to international data transfers, as well as organisations outside the UK and EEA on compliance with data protection requirements in connection with their activities in the UK and the EEA. We work closely with our clients to ensure that their data processing activities remain compliant following Brexit.

Where your business needs guidance on data protection requirements in particular countries, we can assist you in getting that guidance through our global network of data protection experts.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… 13/07/2021