A big step closer to UK Adequacy

While UK adequacy looks likely, any future deviation from ECHR and Convention 108 could compromise it. By Nicola Fulford, Paula Garcia and Nick Westbrook of Hogan Lovells.

As the Data Protection Directive did 20 years earlier, the EU General Data Protection Regulation (EU GDPR) establishes a severe restriction in the context of today’s increasingly interconnected and digitally borderless world: transfers of personal data to a so-called “third country”, i.e. any country outside the European Economic Area (EEA), are only allowed subject to ­certain conditions, namely:

  • The third country ensures an adequate level of protection for the personal data as determined by the European Commission (EC);
  • In the absence of that adequate level of protection, the provision of appropriate safeguards (like Standard Contractual Clauses or Binding Corporate Rules) on condition that enforceable data subject rights and effective legal remedies for data subjects are available; or
  • In the absence of the foregoing, the international transfer of personal data fits within one of the derogations for specific situations covered by the EU GDPR.

Continue reading

UK Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.