Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

About this guidance

On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances.

Both decisions are expected to last until 27 June 2025.

The General Data Protection Regulation has been kept in UK law as the UK GDPR.

This guidance is aimed at UK businesses who receive data from, or have offices in the EU and European Economic Area (EEA). It gives a basic overview of the changes to data protection since the UK left the EU and now has an approved adequacy decision.

We have also produced more detailed guidance on Data Protection and the EU

What does adequacy mean?

‘Adequacy’ is a term the EU uses to describe countries, territories, sectors or organisations it deems to have an “essentially equivalent” level of data protection to the EU.

The EU Commission have adopted adequacy decisions for the UK GDPR and the Law Enforcement Directive. This means data can continue to flow freely from the EU to the UK, in the majority of cases.

Data transferred from the EU to the UK for the purposes of UK immigration control is not included in the adequacy decision. Neither is data that would fall within the scope of the immigration exemption in the Data Protection Act (DPA) 2018.

If you receive EU GDPR data that falls within the scope of the DPA 2018 immigration exemption you should read our detailed guidance.

What do I need to do now the UK has adequacy?

The EU adequacy decisions apply to the whole of the UK, including Northern Ireland.

If your UK business or organisation receives personal data from the EU or EEA it can continue to flow as before and you do not need to take further action, unless the data falls within the scope of the DPA 2018 immigration exemption.

If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you need to comply with both UK and EU data protection regulations. You may also need to designate a representative in the EEA.

Does the GDPR still apply?

The EU GDPR is an EU Regulation and it no longer applies to the UK. If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018).

The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR. In practice, there is little change to the core data protection principles, rights and obligations. GDPR recitals add depth and help to explain the binding articles. Recitals continue to have the same status as before – they are not legally binding; they are useful for understanding the meaning of the articles.

The EU GDPR may still apply to you if you operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA.

Can organisations in the EU and EEA send data to my UK business?

Yes. Now the EU has an approved adequacy decisions for the UK, most EEA processors will be able to send personal data back to UK controllers with no restrictions.

Data transferred from the EEA to the UK for the purposes of UK immigration control is not included in the GDPR adequacy decision. Neither is data that would fall within the scope of the immigration exemption in the Data Protection Act (DPA) 2018.

If you receive EU GDPR data that falls within the scope of the DPA 2018 immigration exemption you should read our detailed guidance.

What if we lose adequacy?

The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an “essentially equivalent” level of data protection.

The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved.

EU data subjects or an EU data protection authority can also challenge the decisions. The Court of Justice of the European Union would then decide whether the UK provides “essentially equivalent” protection.

In the absence of an EU GDPR adequacy decision, the ‘Frozen GDPR’ would apply to personal data that:

  • was processed in the UK under the EU GDPR before 01 January 2021; or
  • is being processed in the UK on the basis of the Withdrawal Agreement (for example, in order to comply with legal obligations under the Withdrawal Agreement).

If the ‘Frozen GDPR’ applies, you may need to identify any personal data about individuals located outside the UK collected before the end of 2020.

If applicable, you may also need to identify any new non-UK personal data you process to comply with the provisions of the Withdrawal Agreement .

What is the ICO’s role now?

The ICO remains the independent supervisory body regarding the UK’s data protection legislation.

The ICO will not be the regulator for any European-specific activities caught by the EU GDPR, although we hope to continue working closely with European supervisory authorities.

What about law enforcement processing?

The data protection regime set out in Part 3 of the DPA 2018 still applies to competent authorities processing for law enforcement purposes. These rules derive from an EU directive but are now set out in UK law and continue to apply (with some minor technical changes to reflect our status outside the EU).

The LED adequacy decision says the UK provides adequate protection for personal data transferred from EU authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. For more information, read Data Protection and the EU – law enforcement processing.

Transfers of data from the UK to the EU and Gibraltar can also continue on the basis of UK adequacy regulations. For more information on how the transfers rules work, read the international transfers page of our Guide to Law Enforcement processing.