EU Notice: impact on Island with regard to transfers of personal data to UK after Brexit
Published On:Wednesday, January 10, 2018
On 9 January 2018, the EU Commission published a “Notice to Stakeholders” regarding the “Withdrawal of the United Kingdom from the EU rules in the field of data protection”.
This Notice recognises that, unless there is some other agreement, the UK will become a ‘third country’ when it leaves the EU on 30 March 2019 and the data protection rules in respect of transfers to ‘third countries’ will then apply.
From that date, it will be the responsibility of the controller or processor to ensure that there are appropriate safeguards in place for personal data transferred to the UK.
Appropriate safeguards for regular or routine transfers include the use of standard contractual clauses, binding corporate rules (across corporate groups) or by the entity in the UK complying with approved Codes of Conduct or certification mechanisms in conjunction with binding and enforceable commitments (normally contained in individual contract terms).
One-off, non-regular or non-routine transfers of personal data to the UK can also take place in specific cases without such safeguards, for example with the consent of the data subject for the particular transfer, for the performance of a contract, exercise of legal claims or important public interest reasons. In any event, data subjects should be provided with information about transfers of their personal data to third countries and will be able to exercise any of their rights in respect of such transfers.
Whilst not directly addressing the Isle of Man, this Notice makes it clear that, for as long as the Isle of Man maintains an adequacy finding, Isle of Man controllers and processors transferring personal data to the UK will be impacted.
The Notice means that Isle of Man controllers and processors should now consider any processing of personal data where transfers are made to the UK with a view to establishing appropriate safeguards in preparation for any transfers made after 30 March 2019.
It should also be noted that if the Isle of Man fails to maintain its adequacy finding, transfers of personal data to the Isle of Man from any EU Member State, or other adequate jurisdiction, will also be subject to the additional safeguards indicated above.
You can keep up to date by:
Signing up to our GDPR Newsletter