International Reach of the UK Data Protection Act 2018 & GDPR
In addition to being applicable to organisations in the EEA, the GDPR has an international reach, and the same can be said for the UK’s Data Protection Act 2018 (DPA).
Regardless of the location or place of establishment, it is possible that either piece of legislation applies to the activities of an organisation.
For example, the DPA applies where personal data processed by an organisation (wherever located) relates to data subjects in the UK, and the GDPR would apply where an organisation offers goods or services to individuals in the EEA (such as a UK-based e-commerce business selling goods to consumers in the EEA). Having to comply with two different legal regimes sounds potentially onerous but the good news is that, in many respects, the legal requirements are aligned between the GDPR and the DPA (the GDPR being retained in UK domestic law as “UK GDPR” following Brexit).
In certain cases (for example, where the processing activities relating to the personal data of EEA individuals are extensive), an organisation may have to appoint an EEA-based representative who will act as a point of contact with supervisory authorities and individuals in connection with data protection matters. This requirement applies to UK organisations and other organisations outside the EEA.
Likewise, organisations based outside the UK may be required to appoint a UK representative, for example, if they offer goods or services to persons in the UK.
International data transfers
Data protection legislation imposes conditions on data transfers to organisations located outside the UK. The organisation transferring personal data should ensure that the transfer meets relevant legal requirements.
There are many grounds which can be relied on for international transfers, including:
- where the transfer is covered by an adequacy decision (for example, a transfer from the UK to the EEA);
- the transferring organisation and the recipient sign standard contractual clauses; or
- the transfer is within a group structure and covered by binding corporate rules.
In addition, organisations processing personal data on behalf of others should be aware of any restrictions placed on international data transfers within the relevant data processor agreement. The agreement may even prohibit such transfers so it is always best to check.
Brexit and data flows from the EEA to the UK
The UK is a third (non-EEA) country for the purposes of GDPR. However, the UK is currently recognised by the European Union as a territory which provides adequate protection for which means that personal data can flow freely from the EEA to the UK.
How can we help?
Our data protection lawyers have extensive knowledge of and experience advising on the international aspects of data protection compliance. We routinely assist our UK-based clients in relation to international data transfers, as well as organisations outside the UK and EEA on compliance with data protection requirements in connection with their activities in the UK and the EEA. We work closely with our clients to ensure that their data processing activities remain compliant following Brexit.
Where your business needs guidance on data protection requirements in particular countries, we can assist you in getting that guidance through our global network of data protection experts.