Transfer of personal data to the UK

The withdrawal of the United Kingdom from the European Union had an impact on the rules on the flow of personal data. From that point on, the UK became a third country as defined in the GDPR, the consequence of which – among other things – was intended to limit the free flow of personal data to and from the EU. However, this has not happened. Initially, on December 24, 2020, UK and EU representatives signed a Trade and Cooperation Agreement (TCA) that allowed the free transfer of personal data from the UK to the EU 6 months longer.

New decisions of the European Commission

This year the European Commission has adopted two implementing decisions finding an adequate level of protection for personal data in the UK: implementing decision dated 28.06.2021 in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom and implementing decision of 28.06.2021 in accordance with Directive 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.

What is the significance of both decisions?

The aforementioned decisions ensure such free transfer of personal data to the UK. By designating the UK as a third country ensuring an adequate level of protection for personal data, it has enabled the free transfer of personal data by entities within the European Economic Area (EEA) without recourse to the other mechanisms listed in Chapter V of the GDPR. The Commission’s adequacy decision is the mechanism set out in Article 45 of General Data Protection Regulation (GDPR). Based on this article, the commission examines such features of the state as the rule of law, respect for human rights and fundamental freedoms, national security and, above all, access to personal data by public authorities and data protection principles. The Commission also checks whether the country has at least one independent supervisory authority to enforce data protection rules. If the assessment is positive, the Commission may, by means of an implementing act, adopt a decision finding that the third country in question ensures an adequate level of protection for personal data. Such decision adopted by the commission shall remain in effect until modified, replaced or repealed by another decision of the commission.  

Duration of the directives

Both decisions took effect on June 28, 2021. They were issued for a period of four years, so they are binding until 27 June 2025. There is an option to extend if the UK continues to provide an adequate level of protection for personal data.

What is the effect of these directives?

The European Commission had to make a comprehensive analysis of the UK legal order before making its decision. The UK adequacy decision includes a mechanism not previously used in such legal tools called the “sunset clause”. The EC’s recognition of the UK as a country that meets the adequacy requirements for personal data allows for data transfers without obtaining additional authorizations or enforcing additional safeguards under Chapter V of the GDPR. These are required if the third country is not compliant with data protection requirements. Checks on compliance with the principles set out in the directives will certainly be carried out.

How was it before?

Prior to the European Commission’s implementing decisions, transfers of data from the EEA to the UK were not treated as transfers to third countries. This was based on the bridging clause in the final provisions of the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community on the one hand and the United Kingdom of Great Britain and Northern Ireland on the other. It governed the relationship between the EU and the UK from January 1 to June 30, 2021. This was the so-called defined period, negotiated between the EU and the UK, during which transfers of personal data from the EU to the UK were not considered to be transfers to a third country.


Currently, the adequacy decision does not cover data transfers for UK migration control purposes. This is a consequence of the UK domestic court ruling on the interpretation of the limitations on data protection rights in this area. This exception will be kept under review by the European Commission based on the UK’s planned legal arrangements in this area.


The issuance of adequacy decisions by the European Commission will allow those involved in the transfer of personal data between the European Union and the United Kingdom to carry out transfers based on this legal tool. No special permits will be required. The ability to transfer data freely to the UK does not obviate the need to ensure compliance with other data protection laws.


Swobodny przepływ danych i pracowników do i z Wielkiej Brytanii – Legalis

decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_law_enforcement_directive_en.pdf (

decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf (

Swobodny przepływ danych do Wielkiej Brytanii –

Brexit | European Commission (

UK gets data flows deal from EU — for now | TechCrunch

W samą porę! Jest decyzja o transferze danych do Wielkiej Brytanii – Cyfryzacja KPRM – Portal (

Swobodny transfer danych do UK nadal możliwy – – ochrona danych osobowych w UE, RODO, IOD