On 21 March 2022, new rules for personal data transfers to countries outside the United Kingdom (“UK”) came into force. Transfer of the respective data according to the previous rules will be possible until 21 September 2022, while starting from 22 September 2022 only new rules will apply to all new transfers. In addition, any contract on transfer of personal data concluded pursuant to the previous rules will be valid until 20 March 2024, while as of 21 March 2024 the parties thereto shall be liable to conclude a new contract, according to the new rules.
Reasons for adoption of the new rules
According to the regulations of the UK on personal data protection, the subjects to whom these regulations apply are obliged to implement appropriate safeguards when transferring personal data outside the country (unless the jurisdiction to which the data is transferred is assessed by the UK as providing an appropriate level of protection to such data, i.e., as existing in the UK).
Following the Brexit, UK and EU concluded the Withdrawal Agreement on 1 February 2020, which stipulates that during the transition period (until 31 December 2020) the UK shall continue to apply the General Data Protection Regulation of the European Union (“GDPR”), therefore the personal data transfers shall be performed in the same way as with respect to the member states of the European Union.
After the expiration of the aforementioned transition period, new rules for the personal data transfers outside the UK were adopted, and they are included in Data Protection Act and General Data Protection Regulation of the respective country.
The subject rules allow such transfers on the basis of a concluded International Data Transfer Agreement or by using the International Data Transfer Addendum to standard contractual clauses established by the European Commission for international data transfers.
The first of the abovesaid options can be used when a specific transfer falls under the UK regulations and involves the conclusion of a separate contract in addition to the “main” contract, while the second one is intended for situations where the transfer is regulated by the GDPR as well, given that the subject regulation stipulates the obligation of both the transferor and the recipient of personal data to apply the new standard contractual clauses.
Regime of personal data transfer from Serbia to the UK
On the other hand, Brexit has not brought any changes in the regime of data transfer from Serbia to the UK, as the subject country is considered a country with an adequate level of protection, since it is a signatory to the Convention 108 (on the protection of persons with respect to the automatic processing personal data), as well as that it is stated in the Decision of the Government of Serbia on the List of states, parts of their territories or one or more sectors of certain activities in those states and international organizations where it is considered that an appropriate level of personal data protection is provided.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.