Two Executive Decisions of the European Commission

The European Commission has officially confirmed that the United Kingdom of Great Britain and Northern Ireland guarantees an adequate level of protection of personal data.

On 28 June 2021, the European Commission adopted two Executive Decisions setting out the appropriate level of personal data protection in the UK:

  • The first with the reference number C (2021) 4800 finalIssued in accordance with Regulation (EU) 2016/679 (GDPR);
  • The second is a reference number C (2021) 4801 final, issued under Directive (EU) 2016/680.

Effects of European Commission Executive Decisions on Transfer of Data to the United Kingdom

Recognition by the European Commission of a specific third country, in this case Great Britain, that ensuring an adequate level of personal data protection allows free transfer of such data from the European Economic Area (27 EU Member States, Iceland, Liechtenstein and Norway) without the need to obtain additional permits or Implementation of additional safeguards provided in Chapter V of the General Data Protection Regulation, which are required if the third country does not provide such protection.

Likewise, data transfers to the UK will be evaluated on the basis of the provisions of Chapter 3A of the 16 September 2011 Law on Information Exchange with Law Enforcement Authorities of EU Member States, Third Countries, EU Agencies and International Organizations, which is implemented in the Polish legal system of During Chapter V of the Directive (EU) 2016/680.

The possibility to freely transfer data to the UK does not preclude the need to comply with other data protection laws.

The period of validity of the executive decisions of the European Commission

Both resolutions entered into force on June 28, 2021 and were passed for a fixed period of four years. This means that it will apply until June 27, 2025. If during that time the UK continues to ensure an adequate level of personal data protection, the European Commission may extend the validity of these decisions.

Scope of Application of Final Executive Resolution C (2021) 4800 under the General Data Protection Regulation (GDPR)

Transfer of data for UK immigration control purposes is excluded from the subject matter scope of the final KEC (2021) 4800 implementation decision, due to the limited application of UK data protection law in this respect.

Disclosure of personal data prior to the issuance of executive decisions of the European Commission

According to the so-called traffic condition in the final rulings Trade and Cooperation Agreements between the European Union and the European Atomic Energy Community on the one hand and the United Kingdom of Great Britain and Northern Ireland on the other من, which governs the current relationship between the European Union and the United Kingdom from 1 January to 30 June 2021, the transfer of data from the European Economic Area to the United Kingdom has not been treated as a transfer of data to third countries.

Actions required of controllers in connection with the transfer of personal data to the United Kingdom

Since the transfer of personal data to the United Kingdom implies the transfer of personal data to a third country, the controllers in such a particular case must, in particular, appropriately amend the applicable information items and documents for the processing of personal data.