The UK government has updated its guidance for UK organisations that receive and send personal data from and to the European Economic Area (the EU member states, plus Norway, Iceland and Liechtenstein) or which operate there, following the recent data protection adequacy decision by the EU.
An EU adequacy decision is a formal recognition by the EU that a non-EU country, in this case the UK, has adequate data protection laws that protect the privacy of individuals’ personal data to the EU’s satisfaction. It means that additional steps to protect such personal data, such as requiring that every legal agreement under which personal data is to be moved between the UK and European Economic Area (EEA) contains special protective clauses, known as Model or Standard Contractual Clauses, do not have to be taken by the businesses concerned.
The same is also true in relation to personal data a UK organisation receives from or sends to any other ‘third’ (ie non-EEA) country benefiting from an EU data protection adequacy decision.
The updated UK guidance ‘Guidance: Using personal data in your business or other organisation’ covers the action UK organisations need to take regarding data protection and data flows with the EU and EEA. It includes sections on ‘what personal data is’ and on ‘receiving personal data from the EU and EEA and from third countries which have EU adequacy decisions’.
However, the adequacy decision will be reviewed after four years (in June 2025) and can be suspended, repealed or amended at any time.
UK organisations receiving and transferring personal data from and to the EEA should check out the UK Guidance on the GOV.UK website.
CONTACT US
For advice on all aspects of company and commercial law, please call our specialist team on 01484 821 500 or fill out our online enquiry form and we will be in touch at a convenient time for you.