HR Hub

The EU Commission has adopted 'adequacy decisions' which enable the continued free flow of personal data from the EU into the UK.

Following the UK leaving the EU and the conclusion of the transition period, the UK is considered to be a ‘third country’ for the purposes of the EU General Data Protection Regulation (GDPR). This meant that unless the European Commission awarded the UK a Certificate of Adequacy (confirming that the UK’s national data protection regime is of sufficient standard to allow data transfer), additional safeguards and provisions would have to have been be taken by each individual business, in relation to each individual transfer of data from the EU to the UK.

On 17^th February the EU published draft data adequacy decisions which recognised the sufficiency of the UK’s data protection standards. Positive data adequacy decisions under both the GDPR and the Law Enforcement Directive (LED) allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK. Formal adoption of these adequacy decisions took place on 28 June 2021 - thus ensuring that UK organisations can continue to receive personal data from the EU and EEA without additional compliance costs. The adequacy decisions will be reviewed every four years and extended on a rolling basis provided there is no later divergence between the EU and UK regimes. Responding to news of the formal adoption, the Information Commissioner said that it ‘is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently’.