Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Does this section apply to us?

This section applies to all UK businesses and organisations whose processing of personal data is currently subject to the EU GDPR.

Does this section apply to us?

  • You should review your privacy notices, DPIAs and other documentation to update references to EU law, UK-EU transfers and your EU representative (if you need one).                                                
  • Ensure your DPO is easily accessible from both your UK and (if you have them) EEA establishments.

What are the key points?

  • Privacy notices – You may need to (a) review your privacy notice to reflect changes to international transfers, (b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and (c) identify your EU representative (if you are required to have one).
  • Rights of data subjects – as a reminder, if the UK GDPR applies to your processing of personal data, it doesn’t matter where in the world the individuals whose data you process are located.
  • Documentation – the information required in your record of processing activities is unlikely to change. You may need to review it to reflect changes regarding international transfers. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to ‘union law’ or other terminology changed in the UK GDPR.
  • Data Protection Impact Assessments (DPIAs) – existing assessments may need to be reviewed in the light of the UK GDPR; for example, if they cover international data flows that on exit date become restricted transfers.
  • Data protection officers (DPOs) – if you are currently required to have a DPO, on exit date that requirement will continue, whether under the UK GDPR or the EU GDPR. You may continue to have a DPO who covers the UK and EEA. The UK and EU GDPRs both require that your DPO is ‘easily accessible from each establishment’ in the EEA and UK.
  • Codes of conduct and certification  Currently there are no approved codes of conduct and certification schemes acting as safeguards for international transfer tools. However, we are working on developing codes of conduct and certification schemes and this work will continues.