European Data Protection Board (EDPB) has adopted on 12 February 2019 an information note on data transfers under the GDPR in the event of a no-deal Brexit.
EDPB confirms that as of 30 March 2019, unless an adequacy decision is adopted by the European Commission by then, data transfers must be based either on:
- standard data protection clauses,
- binding corporate rules
- codes of conduct
- derogations (strictly interpreted).
It is therefore recommended to:
- identify the data processing which imply a data transfer to the UK,
- amend the contract with appropriate clauses,
- update internal documentation (register of processing operations),
- update privacy notice.