Published: 6 October 2020
As you know, the United Kingdom has withdrawn from the European Union and is now a third country. A third country refers to any country outside the EU. There is a transition period and this ends on 31 December 2020.
Sharing Data with the United Kingdom
After this date, Transferring personal data to the United Kingdom is not the same as sharing data within the European Union (EU).
From 1 January 2021, we must treat the UK as a third country and follow the EU rules that apply to transfers of personal data to these countries.
How managers can prepare for Brexit
If a UK company you work with transfers, processes, stores, or accesses personal data, you should put specific arrangements in place by October 31 2020.
These arrangements are:
- Identify any personal data used by any UK company or organisation. Including data held on ICT Systems, paper file, biological samples, smear slides, and other forms of data.
- Using the following templates (Word version) (PDF version) contact each company asking that they complete and sign the EU Standard Contractual Clauses.
- This agreement should cover the personal data processed by that company or organisation on behalf or in cooperation with the HSE. Read the EU Contractual Clauses Agreement here.
- Ensure that you have adequate assurance that the controls and measures that are stated as being in place are in place and are being monitored.
- Get each company to complete and sign the EU Model Agreements before the 31 October 2020.
- Keep a list of the companies concerned.
- Email this list to the Data Protection Officer (DPO) at firstname.lastname@example.org
- Include the list in each services’ Record of Processing.
- Tell the DPO if a company is unwilling to complete the EU Model Agreement or if they have not returned it by the deadline.
- Keep an updated list of unsigned agreements from Brexit start date, 31 December 2020.
These arrangements apply to all contracts, including new contracts dealing with personal data transferred, processed, stored or accessed by any company or organisation based in the UK.
Once you have a signed EU Standard Contractual Clauses Agreement from each UK-based company that processes personal data our behalf then you have everything in place.
For more information about this topic or if you have questions, or concerns e-mail the HSE Data Protection Officer at email@example.com