As a direct consequence of Brexit, the sharing of personal data with the UK has become a transfer of data outside the EU, which is prohibited in principle by the GDPR.

Since 28 June 2021, the UK has been recognised as a country with a level of data protection equivalent to that guaranteed by the GDPR. By virtue of two adequacy decisions adopted by the European Commission, transfers of personal data from the territory of the EU to that of the UK are therefore permitted and may be carried out by controllers and processors without the need to put in place standard contractual clauses or other specific guarantees.

This decision is not surprising insofar as, prior to Brexit, the UK was subject to the GDPR and had brought its national legislation into line.

The adequacy decision relating to RGPD and the adequacy decision relating to the Police-Justice Directive