The Impact of Brexit on GDPR application: Portugal
SÉRVULO PUBLICATIONS 07 Feb 2020
As of January 31st of 2020, the United Kingdom is no longer a Member State of the European Union and Brexit became a reality. On the following day we entered in a transitional period which is estimated to last until December 31st of 2020, albeit the possibility of there being a one to two year extension. During this period everything will work as it did in the pre-Brexit era, since Union law will continue to apply and, consequently, the General Data Protection Regulation ("GDPR"), which is part of it, will also apply.
As an EU Member State, the United Kingdom has been obliged to comply with the General Data Protection Regulation ("GDPR"). This meant the free movement of personal data from Portuguese companies to companies in the United Kingdom, given that Portugal and the United Kingdom, as Members of the EU, were bound by the same safeguards for the protection of personal data transferred in the GDPR. This state of affairs will not change until at least December 31st of 2020. But then what?
Important questions are already beginning to be asked about transfers of personal data from EU countries to the UK when these will no longer free. At the end of the transition period, the UK will be considered a third country in relation to the European Union. From then on, the transfer of personal data from a Portuguese company to a company located in the United Kingdom can only take place if: (i) the European Commission, in the meantime, acknowledges that the United Kingdom ensures an adequate level of protection for the personal data transferred; or (ii) the Portuguese company ensures in advance that the company receiving the data in the United Kingdom has provided, under the conditions required by the GDPR, adequate safeguards for the protection of the personal data transferred. Otherwise, the transfer of data to the United Kingdom will be unlawful and punishable with a fine.
Therefore, attention should be paid to the automatic renewal of contracts with counterparties located in the United Kingdom and to the timely review of such contracts to ensure that transfers of personal data to that country comply with the GDPR.
In short, what precautions should be taken in the near future?
Portuguese public or private companies, organizations or associations wishing to start or continue transferring their personal data to the UK do not need to take further steps, at least until December 31st of 2020. However, after the transition period, compliance with the GDPR will require further precautions for Portuguese companies and organizations when dealing with partners and suppliers located in the UK. Now that Brexit has moved forward, and the Exit Agreement has been signed, we need to be aware of new developments and avoid being bound by existing obligations or making new commitments that may soon result in a situation of non-compliance with the GDPR.
Inês de Sá
is@servulo.com
Catarina Mira Lança
cml@servulo.com