Brexit Checklist For Data Protection.

Updated: Dec 31, 2020











On Dec 31st, 2020, the clock strikes zero for the Brexit transition period. Unless the EU and UK can strike a deal on privacy within the limited time that is left, the UK will become a third country for the member states of the European Economic Area. This has several consequences in the area of privacy. To help you during this time of uncertainty, we have compiled a Brexit checklist with things you need to check before the deadline.


Brexit checklist: Organisations in the UK that collect and/or receive EEA personal data


▢ Check if you are required to have an representative in the EEA

▢ Mention EEA representative in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to one or more competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When receiving EEA personal data, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK


Brexit checklist: Organisations in the EEA that collect and/or receive UK personal data


▢ Check if you are required to have an representative in the UK

▢ Mention UK representative in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, so UK personal data can be freely received. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK


Brexit checklist: Organisations with establishments in both the UK and EEA


▢ When your main establishment is in the UK, check whether it can be moved to EEA if you want to continue to benefit from having a single point of contact for privacy in the country of your main establishment (one-stop-shop mechanism)

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.