Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

ICO busts 'myth' on Brexit data transfers

UK companies whose EU-based parent companies store personal data on their behalf may need to put new arrangements in place to enable them to access that data in the event of a 'no deal' Brexit, the data protection watchdog has said.28 Jan 2019

Information commissioner Elizabeth Denham confirmed the corporate structure of companies has no bearing on the obligations they have to meet to provide for the protection of personal data when it is being transferred outside of the European Economic Area (EEA).

Currently, UK businesses can freely transfer personal data anywhere within the EEA, unless otherwise restricted by contract. This free flow of information is provided for under EU data protection laws – the General Data Protection Regulation (GDPR).

However, the GDPR places restrictions on the transfer of personal data outside the EEA. Businesses are prohibited from transferring personal data to non-EEA countries unless they have in place one of a number of safeguards to ensure EU data is adequately protected when processed in those 'third' countries. In a 'no deal' Brexit, that will include where the data is transferred to the UK.

In a blog, Denham said it is a "myth" for UK businesses to think they do not need to sort out new agreements around data transfers because their parent company in Europe stores all their personal data records centrally.

"Don’t presume you are covered by the structure of your company," Denham said. "In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action."

"There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA and standard contractual clauses is one of those… You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place," she said.