Ever since the United Kingdom (“UK”) announced its departure from the European Union (“EU”), there were a lot of speculations about which rights and obligations will remain applicable to its citizens upon (Br)exit. Naturally, as negotiations were ongoing since 2016 referendum, question of whether the General Data Protection Regulation (“GDPR”) will remain applicable was still left open, until recently.
Recognizing the potential problems that may arise out of clear-cut solution when it comes to applicability of GDPR, the UK-EU Trade and Cooperation Agreement, effective as of 1 January 2021, leaves a six-month transition period during which the transfer of personal data from the EU to the UK will be free. After that time period expires, the UK will be considered as a “third country” with regard to international data transfers, meaning that the transfer of personal data from the EU to the UK will not be free, unless certain safeguards are provided (e.g. Standard Contractual Clauses or Binding Corporate Rules). Nonetheless, the UK remains hopeful that the EU Commission will render an adequacy decision in the meantime, eliminating the scenario in which the UK transfers will require additional safeguards.
In all other aspects, GDPR is not applicable directly in the UK as of 1 January 2021 (safe for extraterritorial application). However, this is not a huge issue for the UK citizens as their personal data enjoy the same level of protection as before. The so-called “UK-GDPR”, the amended Data Protection Act from 2018, which embodies the core principles and safeguards provided by GDPR, will continue to apply as national law in the UK post-Brexit.
That being said, all UK-based companies would be wise to welcome expiration of the six-month transition period ready for every possible scenario and compliant with both UK-GDPR and EU-GDPR.
International transfers from the Serbian perspective
As far as the Serbian data protection regulations are concerned, the Personal Data Protection Act of the Republic of Serbia (“PDPA”) explicitly provides that personal data transfers may be performed freely to third countries and/or international organizations that are parties to the European Council Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Furthermore, the Serbian Government issued a Decision on the list of countries, a territory or one or more specified sectors within a third country, or an international organization which are considered to provide adequate levels of personal data protection (“Decision”), listing countries to which the free flow of personal data transfers is permitted. The Section I of the Decision enlists the UK by name.
Finally, the Serbian Commissioner for Information of Public Importance and Personal Data Protection issued a public announcement stating that the personal data transfers from Serbia to the UK remain free in accordance with the PDPA and the Decision.
Having said in mind, there is no doubt that Brexit had little to do with international personal data transfer from the perspective of Serbia and its regulations. In fact, nothing has changed in terms of international data transfers as a result. So, the UK based companies with local presence may rest assured. However, it will be interesting to see if the UK will reciprocate after finally seceding from the EU.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Milos Velimirovic, Partner, and Katarina Zivkovic, Senior Associate, Samardzic, Oreski & Grbovic