The protection of personal data covered by the GDPR in the United Kingdom after the Brexit

Since 1 January 2021, the United Kingdom has no longer applied the General Data Protection Regulations (GDPR). Check out the new landscape in personal data protection after the Brexit.

We began 2021 with the UK’s departure from the European Union. Data Protection speaking, Brexit has meant the end of the application of the General Data Protection Regulation (GDPR) in the United Kingdom.

From now on -and until we have an agreement between the United Kingdom and the European Economic Area (hereinafter referred to as the EEA)-, data processing carried out by UK companies will not be subject to the GDPR (unless UK companies are based in the EEA or process data of Europeans).

The consequences of BREXIT are:


This being the case, and in the absence of an adequacy finding between the UK and the EEA (Article 45 GDPR), any exchange of personal data between EEA organizations and UK organizations will, as a general rule, constitute a transfer of personal data to a third country and therefore require adequate safeguards (Article 46 GDPR). Personal data may only be transferred to a third country (in this case the UK) or international (UK) organization if adequate safeguards are provided and provided that the data subjects have enforceable rights and effective legal remedies.

According to Article 49 of the Regulation, there are other option for accepting international transfers of data between the EEA and the United Kingdom:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Please note that the European Data Protection Committee remarked that these are exceptions to be used in a restrictive manner In its December 2020 note,


A further change is that UK companies that are subject to the GPRD and are not established in the Union, must now appoint a representative in the European Union, as provided for in Article 27 of the GPRD.

In particular, this obligation applies to any controller or processor in the private sector who carries out non-occasional, large-scale processing of special categories of data, large-scale processing of data relating to criminal convictions and offences, and who is likely to present a risk to the rights and freedoms of natural persons.

The representative, who must be established in the EU, will act as the contact point of the person responsible or in charge of the interested parties and the supervisory authorities.


Another point to consider in cross-border processing is one-stop-shop. As a reminder, the one-stop mechanism provides for a single main data protection authority, in cases where an entity carries out data processing in several EU countries. As a reminder, the One Stop Shop mechanism provides for a single main data protection authority in cases where an entity processes data in several EU countries.

However, as users, Brexit does not have effects on us in cases where we have entrusted our data to British companies, as these companies will have to comply with the GDPR anyway.

Furthermore, United Kingdom’s supervisory authority, the Information Commissioner’s Officer (ICO), urged British companies to continue to comply with the General Data Protection Regulations and their local data protection regulations in a note issued at the end of December 2020.

5/5 - (5 votes)

Maria Diví

Abogada.Responsable del Área de Derecho Digital.


Leave a Reply

Your email address will not be published. Required fields are marked *

Responsable del tratamiento: HERRERO & ASOCIADOS, S.L.

Finalidad del tratamiento: Publicar su comentario sobre la noticia indicada.

Derechos de los interesados: Puede ejercer los derechos de acceso, rectificación, supresión, oposición, portabilidad y limitación del tratamiento, mediante un escrito, acompañado de copia de documento que le identifique dirigiéndose al correo

Para más información visita nuestra Política de Privacidad.

*Los campos marcados con el asterisco son obligatorios. En caso de no cumplimentarlos no podremos contestar tu consulta.

No Comments