President of the Personal Data Protection Office explains how to transfer personal data from Poland to the UK in case of Brexit

Dodano: 05-02-2019
Kategorie :

In connection with the high likelihood of the withdrawal of the United Kingdom from the European Union without concluding an international agreement regulating this issue, the President of the Personal Data Protection Office has explained at a press briefing what would be the consequences thereof for the Polish data controllers and processors. The President also gave advice on how to prepare properly for this.  

Until 29 March 2019, that is while the United Kingdom remains a Member State of the European Union, there will be to possibility of free data transfer to the entities operating in UK territory, without any additional limitations, just as has been the case so far. Data transfers within the UE make use of the principle of free data flow, according to which the transfer of personal data from Poland to other States of the European Economic Area (EU as well as Iceland, Liechtenstein and Norway) is treated in the same way as if it took place in the territory of Poland. It is required to comply with the basic data processing principles and the resulting obligations.

In the light of the General Data Protection Regulation, as of 30 March the United Kingdom will be treated as a third country. This means that all data transfers to the UK must meet additional requirements on data transfers to third countries or international organisations, which are specified in Chapter V of the GDPR.  

Both Polish entrepreneurs and public entities must prepare for this in advance, so as to ensure the legitimacy of data transfers to the United Kingdom in the new legal state to be applicable as of 30 March 2019.  Each data controller or processer currently transferring data to the United Kingdom shall:

  • Identify which data, for what purposes and on what legal basis are currently transferred to the United Kingdom;
  • Decide on whether these transfers will continue after 29 March 2019;
  • Choose and implement a relevant mechanism or legal basis enabling data transfer;
  • If needed, modify:
    • the internal data processing documentation, including a record of processing activities,
    • the information clauses,
    • the existing Binding Corporate Rules;
  • Follow the information on the process of the UK’s withdrawal from the EU, as it is not sure yet, under what rules it will take place, which may have an impact on the obligations related to data transfer.

Depending on the course of events in the coming weeks the President of the Personal Data Protection Office will provide up-to-date information and guidelines.