Transferring data to the UK post-Brexit

Is your data protection policy ready post Brexit?

Here is how you must make sure that you can still transfer data to the UK. Read the Brexit tips and advice from Lexing Belgium.

On 31 January 2020, the United Kingdom officially left the European Union.

What are the consequences for companies established in EU Member States?

To avoid data being subject to a foreign legal framework that is less protective than the GDPR, the transfer of personal data outside the EU is prohibited in principle.

Since 1st January 2021, the United Kingdom is considered as a “third country” to the European Union. This means that any data transfer from a EU Member State to the UK will constitute a “cross-border flow” whose lawfulness has to be assessed in the light of Articles 44 to 49 of the GDPR.

According to Article 45 of the GDPR, data transfers to third countries can take place when the European Commission adopts a so-called “adequacy decision” by which it establishes that the data recipient country provides data protection safeguards which are “essentially equivalent” to those of the GDPR.

A first adequacy decision had been adopted by the European Commission for the UK.

While the adequacy decisions concerning the United Kingdom were due to expire on June 27, 2025, the European Data Protection Board (EDPB) recently issued a favorable opinion on the European Commission’s proposal to extend their validity by six months. This extension concerns two separate decisions: one taken under the GDPR and the other under the Directive on data protection in the framework of police and judicial cooperation in criminal matters.

On June 24, 2025, the European Commission finally formally adopted Decision (EU) 2025/1226, extending the validity of the adequacy decisions until December 27, 2025.

What should you do if the adequacy decisions are not extended beyond December 27, 2025?

In the absence of an adequacy decision, four alternative mechanisms exist to ensure the required level of data protection.

1. Contractual clauses

In 2010, the European Commission adopted two decisions to which was annexed standard contractual clauses (“SCCs”) for the transfer of personal data.

In a judgment of 16 July 2020 (“Schrems II judgment”), the Court of Justice of the European Union (“CJEU”) confirmed that SCCs are valid and can be used to transfer data to a third country. However, the CJEU added that SCCs are no longer sufficient on their own.

Why? SCCs are only contractual obligations imposed on the parties by the parties themselves and they alone cannot ensure a sufficient level of data protection against possible state interference.

It is therefore necessary for the controller to assess the legal situation prevailing in the third country and, where applicable, to adopt “supplementary measures” in order to ensure the effectiveness of such level of protection. This assessment should be made on a case-by-case basis by the controller, in collaboration with the recipient of the data.

However, the CJEU does not specify which measures these could be, other than they are effective mechanisms that make it possible, in practice, to ensure compliance with a level of protection essentially equivalent to that guaranteed by the GDPR.

To remove uncertainty about the concept of supplementary measures and help controllers assess the third country legislation, the EDPB published two recommendations (Recommendation 01/2020 and 02/2020) on 11 November 2020.

The first recommendation focuses on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. It contains a 6-step roadmap to help controllers assess whether the transfer ensures appropriate safeguards.

The second recommendation deals with the European essential guarantees for surveillance measures. It aims to help controllers assess whether the surveillance measures of the importer’s country allow access to personal data by public authorities. One thing is certain: the United Kingdom has significant means of surveillance and caution is therefore necessary.

Therefore, it is up to the controller to decide what technical, contractual and/or organisational measures must be taken to ensure the protection of the data transferred.

OnJune 4^th, 2021, the European Commission published a new version of the SCCs, to update them following the entry into force of the GDPR and the Schrems II judgment.

2. Binding Corporate Rules (BCRs)

Where data transfers take place within the same corporate group, companies may put in place “Binding Corporate Rules”. The purpose of these rules is to ensure that data are adequately protected by all group entities. Each group entity must adhere to these rules in order to secure data transfers within the group, regardless of the location of the data.

However, this tool has the same weaknesses as the SCCs in relation to state interference.

In addition, BCRs must be approved in advance by several national supervisory authorities; this is not an option when you need to be ready before 31st December 2020.

3. Codes of conduct and certifications

Data transfers can also be based on codes of conduct or certification mechanisms. These tools must be binding and adapted to the concrete specificities of the sector concerned.

To date, no code of conduct or certification has been established yet.

4. Derogations under Article 49 of the GDPR

When none of the three tools set out above can justify the transfer of data to a third country, the controller may, as a last resort, try to rely on the derogations provided for in Article 49 of the GDPR. To do so, the transfer of data to the United Kingdom must be occasional and non-repetitive and meet one of the following conditions:

-the data subject has consented to the proposed transfer, after having been informed of the possible risks of such transfer;
-the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
-the transfer is necessary for important reasons of public interest.

Conclusion

If the adequacy decisions are not extended beyond December 27, 2025, data controllers who continue to transfer personal data to the United Kingdom – without relying on one of the four authorized transfer mechanisms – may be in breach of the GDPR and subject to enforcement action.

The same is true for controllers who would simply continue to apply the SCCs without assessing the national law and practice applicable in the UK and without adopting supplementary measures where necessary.

Our advice:

In conclusion, we advise you to:

Identify in your record of processing activities (ROPA) if data are transferred to recipients (service providers, subsidiaries, etc.) located in the United Kingdom;
Update your ROPA accordingly,
Indicate in your data protection policy that data is transferred outside the European Union and more specifically to the United Kingdom, and refer to the appropriate safeguards adopted and the means by which to obtain a copy of them or where they have been made available.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.