Frank Schröder

Frank Schröder
Director, Head of Marketing & Communications

Büro Dusseldorf
+49 211 6901-1200

Data Transfers to the UK: How can German businesses overcome the Challenges of Brexit?


The end of the Brexit transition period is imminent, and will bring significant changes for EU businesses that trade with (or have a presence in) the UK. In his guest article, Luke Dixon, Partner and Data Protection, e-Privacy and Cyber Law expert at Freeths LLP clarifies important issues for affected businesses in Germany.

In this article, we look at the effect that Brexit will have on transfers of personal data from the EU to the UK, following the conclusion of the Brexit transition period on 31 December 2020. This article will be particularly relevant to German businesses that currently export personal data to affiliates, business partners or other third parties in the UK. 

What is the position under the current Transitional Arrangements?

The current transitional Brexit arrangements allow personal data to flow freely between the EU and the UK. However, this will end on 31 December 2020, unless the EU deems the UK to be an “adequate” country for receiving personal data from the EU from 1 January 2021 onwards.  

It seems increasingly unlikely that the UK will obtain EU adequacy status in time for the end of the transitional period. It could therefore become a “third country” for data exports from 1 January 2021. This means that German businesses will need to apply safeguards to their personal data flows to the UK from that date.

The information below summarises what a German business needs to consider, and how it should deal with its data transfers to the UK in time for 1 January 2021.

Review and map your current data flows to the UK

You will need to identify your data flows from to the UK, so you can understand which flows you need to legitimise, and how. You can do this in cooperation with the UK entities that receive your personal data – it is in their interests to get this process right too. 

Prioritise your key data transfers by volume of data and other factors

As time is running short, you might need to prioritise your business-critical and high volume flows first, or those flows that cover sensitive data.

Consider how you may continue to make these transfers lawfully at the end of the transition period

The most likely mechanism to use will be Standard Contractual Clauses (“SCCs”) to document the data flows. There are alternatives and exemptions that you may consider as well.  

If you decide to use the SCCs, then you should also consider whether to apply extra safeguards to the SCCs. The EU recently issued some Recommendations on how to do this. Your UK partner might be able to help you with this potentially difficult exercise.  

Implement the mechanisms to permit data flows

Whatever mechanism you choose, you will need to have them in place by 31 December 2020.

The current draft SCCs are due for replacement in early 2022.  You might need to repeat this exercise in 12 months’ time…

Update your privacy notices, policies and procedures as necessary

You may need to update your privacy policies and notices to reflect the changes you have made in readiness for post-Brexit transition.

What about Data Transfers from the UK to the EU?

Here is some good news! You may receive personal data from the UK post-Brexit transition as before, without taking further steps. The UK government has said that data transfers from the UK to the EU will not be restricted.

We are a German business with UK operations. The UK Data Regulator also talks about the possible need to appoint an EU Representative and/or a Lead Supervisory Authority. Do we need to worry about that?

These issues are less likely to be relevant to German businesses with UK operations, for the following reasons:

  • They will already be “established” in the EU for the purposes of GDPR.  They should not therefore need to appoint an EU-based data protection representative for their UK operations.
  • If your establishment in Germany is the main place for making decisions within the corporate group, it is likely that the German data protection authorities will be your Lead EU Supervisory Authority. The UK Information Commissioner’s Office will continue to be the data protection authority for your UK operations.

If you have any questions relating to this article or about your responsibility in respect of exporting personal data to affiliates, business partners or other third parties in the UK, then please contact me. 

Luke Dixon
Partner, Data Protection, e-Privacy, and Cyber Law
Freeths LLP
T: +44 2074 405 177
M: +44 7973 889 778

For all issues concerning data transfer and protection in the context of Brexit you can also contact Dr. Christian Engelhardt, Partner at Baker Tilly Germany.