Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (consequently GDPR) in its Art 1.1 establishes its territorial scope in all the activities of a controller or processor whose main establishment is in the European Union. Thus, as of May 25, 2018, all EU Member States were obliged to comply with the guidelines and guidelines issued by this body of legislation.
However, after 44 years on June 23, 2016, the United Kingdom held a consultative referendum on the population in which it was considered the abandonment of the European Union, and the decision was notified to the European Council on March 29, 2017. That notification signed a transition period for exit from the Treaty of just over two years and until 31 December 2020 in which the parties involved would generate collaboration agreements in different areas, including with regard to the protection of personal data to and from the United Kingdom by controllers or processors established in the Union.
Within the collaboration agreement signed, a period of 06 months was established from January 1, 2021 in which the United Kingdom would issue its own internal legislation regarding the protection of personal data and whose articulation would theoretically be alienated from European regulations.
That is why, from January 1, 2021 until June 30, 2021, transfers of personal data between the parties involved will not be considered as international transfers, not being necessary the adoption of any of the measures considered by the RGPD in its Art 44 et seq.
However, as a result of the global pandemic caused by COVID19, it was not surprising that an extension of the agreement was reached, since the different governments have placed almost all their forces in the management of this epidemiological phenomenon.
Finally, and after months of review on June 28, 2021, the European Commission promulgated in accordance with Article 45 of the RGPD an adequacy decision on the United Kingdom, providing a level of security equivalent to that required by said body of legislation to the different Member States of the European Union, a result that seems prima facie quite logical to understand that that country was part of the Union until 31 December 2020.
However, it is important to note that this adequacy decision does not cover all aspects of data protection, since the Commission expressly refers to the processing of personal data for migratory reasons, being that, in the words of the body, there is an exception to the adequacy decision because the United Kingdom has not been able to demonstrate that the security measures approved by the RGPD apply for this treatment. Once the new UK regulations on data protection solve this exception, the adequacy decision on such treatment will be immediately applicable.
For all the above, I suggest to those companies that act directly or indirectly in the United Kingdom even though this adequacy decision is already official, apply the measures of homologation of treatment managers, as it applies in the case of domestic orders, in order to give greater legal support to the activity and the treatment to which it refers. that they do not wait for a decision by the European Council on a possible extension and that they proceed to update their policies and protocols to deal with an event that will take place sooner rather than later, in order to avoid possible gaps and breaches generating pecuniary sanctions by the Control Authorities of the Member States.