Skip to main content

We use strictly necessary cookies to make our site work. We would also like to set optional cookies (analytical, functional and YouTube) to enhance and improve our service. You can opt-out of these cookies. By clicking “Accept All Cookies” you can agree to the use of all cookies.

Cookies Statement and Privacy Statement


Information for health care workers is available on Coronavirus guidance documents are available on

New rules around Data Protection for Brexit

Information HSE managers need about the transfer of personal data to UK companies from 31 December 2020.

Published: 6 October 2020

As you know, the United Kingdom has withdrawn from the European Union and is now a third country. A third country refers to any country outside the EU. There is a transition period and this ends on 31 December 2020.

Sharing Data with the United Kingdom

After this date, Transferring personal data to the United Kingdom is not the same as sharing data within the European Union (EU).

 From 1 January 2021, we must treat the UK as a third country and follow the EU rules that apply to transfers of personal data to these countries.

How managers can prepare for Brexit

If a UK company you work with transfers, processes, stores, or accesses personal data, you should put specific arrangements in place by October 31 2020.

These arrangements are:

  1. Identify any personal data used by any UK company or organisation. Including data held on ICT Systems, paper file, biological samples, smear slides, and other forms of data.
  2. Using the following templates (Word version) (PDF version) contact each company asking that they complete and sign the EU Standard Contractual Clauses.
  3. This agreement should cover the personal data processed by that company or organisation on behalf or in cooperation with the HSE. Read the EU Contractual Clauses Agreement here.
  4. Ensure that you have adequate assurance that the controls and measures that are stated as being in place are in place and are being monitored.
  5. Get each company to complete and sign the EU Model Agreements before the 31 October 2020.
  6. Keep a list of the companies concerned.
  7. Email this list to the Data Protection Officer (DPO) at
  8. Include the list in each services’ Record of Processing.
  9. Tell the DPO if a company is unwilling to complete the EU Model Agreement or if they have not returned it by the deadline. 
  10. Keep an updated list of unsigned agreements from Brexit start date, 31 December 2020.

These arrangements apply to all contracts, including new contracts dealing with personal data transferred, processed, stored or accessed by any company or organisation based in the UK. 

Once you have a signed EU Standard Contractual Clauses Agreement from each UK-based company that processes personal data our behalf then you have everything in place.

For more information about this topic or if you have questions, or concerns e-mail the HSE Data Protection Officer at 






Related Content

  • Commission Decision of 5 February 2010
    Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)Text with EEA relevance
  • Brexit gdpr letter pdf file
    pdf of brexit supplier letter
  • Brexit gdpr letter template word file
    Using this template, contact each company asking that they complete and sign the EU Contractual Clauses Agreement.