Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

The Brexit transition period ended on 31 December 2020. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments.  If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions.  If adequacy decisions are not adopted at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions.  If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

Please note that the bridge does not override the provisions of the Withdrawal Agreement, which applied as of 01 January 2021.

We will keep our guidance under review, and update it as the situation evolves. Please continue to monitor the ICO website for updates.

Does this guidance apply to us?

If you’re new to this topic, go here first for an overview of the key points you need to know and practical guidance to help you prepare for the end of the transition period.

This guidance explains data protection at the end of the Brexit transition period in more detail. Read it if you have detailed questions not answered in our other resources, or if you need a deeper understanding of data protection law and how it has changed

It is particularly relevant to UK businesses and organisations that rely on international data flows, target European customers or operate inside the European Economic Area (EEA).

This guidance is aimed primarily at DPOs and those with specific data protection responsibilities. It is not aimed at individuals and, if needed, we will provide guidance for individuals in due course.