Brexit & data protection

New Brexit decision: The European Union and Great Britain recently agreed to postpone Brexit until at least 12 April. It is still unclear how it will continue with regards to the data protection law. Here is a summary of the possible developments.


A) First, there are three scenarios:
1) There is a ‘hard Brexit’ without any regulation. In this case, it continues with B).
2) There is a deal or a decision by the EU Commission that recognises the British level of data protection as appropriate. Then everything stays the same and there is nothing(!) to do.

B) In the case of a ‘hard Brexit’ the following has to be done:
1. controller-to-processor ratios (DPA)
a) A controller based in the EU has a processor in the UK: here, in addition to the existing DPA, the EU standard contract clauses must be concluded.
b) A controller based in the UK has a processor in the EU: Here (probably) nothing has to be done because the British ICO has already announced that it will recognise the EU data protection level.
 
2. Controller-to-Controller ratios (C2C)
a) A controller based in the EU transfers to a controller in the UK: Here the EU standard contract clauses must be concluded.
b) A controller based in the UK transfers to a controller in the EU: Here (probably) nothing has to be done because the British ICO has already announced that it will recognise the EU data protection level.
 
3. Joint controller ratios (JCA)
a) A controller based in the EU transfers to a joint controller in the UK: Here, in addition to the existing joint controller agreement, the EU standard contract clauses must be concluded.
b) A controller based in the UK transfers to a joint controller in the EU: Here (probably) nothing has to be done because the British ICO has already announced that it will recognise the EU data protection level.