Hi folks, hoping someone can point me in the right direction. I’m trying to find where (or if) the UK has formally documented the decision to recognise that the EU/EEA ensures adequate protection for personal data.
Section 17A of the amended DPA18, as well as the recent Memorandum of Understanding between the DCMS-ICO, talk about “UK adequacy regulations”. Has the UK’s decision to recognise the EU been through this process yet and if so, where can I find it?
Hi Henry, there’s also Schedule 21 of the amended DPA. You can see the Keeling Schedule at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/969513/20201102_-_DPA_-__MASTER__Keeling_Schedule__with_changes_highlighted__V4.pdf and Sch 21 starts on p365
Here is another resource to look at:
Thanks Hellen, I’d not actually seen that page.
One thing that bugs me about the ICO’s website is it rarely pinpoints what it’s referring to in the legislation. E.g. “The EU Exit Regulations provide provisional arrangements so that UK adequacy regulations include the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020” – but then doesn’t direct you to where that is.
I think it is The Withdrawal Agreement that sets out that the UK and EU regard each other as adequate, until the time that the adequacy extension and the possible bridging mechanism expires. Article 71 defines the transfer of personal data back and forth following the end of the transition period.
Here is a link to the Withdrawal Agreement – https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/840655/Agreement_on_the_withdrawal_of_the_United_Kingdom_of_Great_Britain_and_Northern_Ireland_from_the_European_Union_and_the_European_Atomic_Energy_Community.pdf
Thanks Dean – I had a feeling it was lurking somewhere like that…