Data protection law in the UK after Brexit 2020
Here are the overall changes to UK law after Exit Day
The EU’s GDPR has been amended into a new “UK-GDPR” (United Kingdom General Data Protection Regulation) that took effect on January 31, 2020.
The Data Protection Act 2018 has been amended to be read in conjunction with the new UK-GDPR instead of the EU GDPR.
The European GDPR will apply to the UK in the transition period lasting from January 31, 2020 until December 31, 2020 (unless further extensions are agreed upon between the UK and EU).
It is likely that the UK government will move to consolidate the two amended laws (UK-GDPR and Data Protection Act 2018) into one, comprehensive piece of data protection law at a later point.
All the main principles, obligations and rights remain in place.
The Data Protection Act 2018 has been amended to be read in conjunction with the new UK-GDPR instead of the EU GDPR.
The European GDPR will apply to the UK in the transition period lasting from January 31, 2020 until December 31, 2020 (unless further extensions are agreed upon between the UK and EU).
It is likely that the UK government will move to consolidate the two amended laws (UK-GDPR and Data Protection Act 2018) into one, comprehensive piece of data protection law at a later point.
All the main principles, obligations and rights remain in place.
What is UK GDPR?
The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, only changed to accommodate domestic areas of law.
It was drafted from the EU GDPR law text and revised so as to read United Kingdom instead of Union and domestic law rather than EU law. This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.
It was drafted from the EU GDPR law text and revised so as to read United Kingdom instead of Union and domestic law rather than EU law. This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.
Is UK GDPR the same as EU GDPR?
UK-GDPR expands and changes the European GDPR The areas expanded on by the UK-GDPR are:
National security
Intelligence services
Immigration
These areas are per definition outside the scope of the European GDPR, since it is an extra-national regulation from the EU without powers to govern matters of national security in member states.
However, the UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.
Another big change in the UK-GDPR is that the Information Commissioner, the leading data protection authority in the UK today, will become the leading supervisor, regulator and enforcer of the UK-GDPR.
It means that where before under EU GDPR, the European Data Protection Board would have been the highest supervisory authority, the ICO now takes over all matters relating to regulation and enforcement of the UK-GDPR.
Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR.
Furthermore, when the UK-GDPR came into effect on January 31, 2020, it automatically recognized all EU countries as adequate, along with recognizing all existing EU adequacy decisions as UK adequate as well (e.g. the US Privacy Shield).
And lastly, a notable difference from the European GDPR to the new domestic UK-GDPR is that the age of valid consent is lowered to 13 years in the UK (16 years in the EU).
National security
Intelligence services
Immigration
These areas are per definition outside the scope of the European GDPR, since it is an extra-national regulation from the EU without powers to govern matters of national security in member states.
However, the UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.
Another big change in the UK-GDPR is that the Information Commissioner, the leading data protection authority in the UK today, will become the leading supervisor, regulator and enforcer of the UK-GDPR.
It means that where before under EU GDPR, the European Data Protection Board would have been the highest supervisory authority, the ICO now takes over all matters relating to regulation and enforcement of the UK-GDPR.
Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR.
Furthermore, when the UK-GDPR came into effect on January 31, 2020, it automatically recognized all EU countries as adequate, along with recognizing all existing EU adequacy decisions as UK adequate as well (e.g. the US Privacy Shield).
And lastly, a notable difference from the European GDPR to the new domestic UK-GDPR is that the age of valid consent is lowered to 13 years in the UK (16 years in the EU).
How personal data are processed by Xchange Finance Limited?
Xchange Finance process data only for specific purposes and the data are not stored for longer than necessary. Xchange Finance maintains the data, which is necessary for providing the services selected by the customer and Xchange Finance is able to deliver it to the customer.
Xchange Finance processes personal data in one or more of the cases mentioned below:
for signing and executing the agreement;
requested by the law;
for pursuing legitimate (lawful) interests;
the consent has been obtained from the customer.
Our Data processing Policy
The Personal data processing Policy provides information on the processing and protection of personal data of Xchange Finance customers, employees and other individuals. In addition to the description of the Policy, more detailed information on the processing of personal data can be included in your service agreements, other documents related to services and on the website.
Who can access these data?
Xchange Finance may share customer data only in the cases:
If the data are required by a public/supervisory authority;
If that is necessary for providing the relevant service by authorized data receivers.
The data receivers authorized by Xchange Finance, i.e., the companies that process the data on behalf of Xchange Finance. Xchange Finance shall take the necessary measures to ensure that the authorized data receivers carry out the customer data processing according to the guidance received from Xchange Finance, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.
How to withdraw your consent
This section explains what to do if you no longer want us to hold or use your personal information.
You can withdraw your consent at any time. Please contact us if you want to do so.
This will only affect the way we use information when our reason for doing so is that we have your consent.
If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.
Letting us know if your personal information is incorrect
You have the right to question any information we have about you that you think is incorrect. We’ll take reasonable steps to check this for you and correct it.
If you want to do this, please write to us or call us.
Calls may be monitored or recorded.
Non-compliance
The “higher maximum amount” is —
in the case of an undertaking, 20 million Euros or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
or
in any other case, 20 million Euros.
The “standard maximum amount” is —
in the case of an undertaking, 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
or
in any other case, 10 million Euros.
The maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given.
Xchange Finance processes personal data in one or more of the cases mentioned below:
for signing and executing the agreement;
requested by the law;
for pursuing legitimate (lawful) interests;
the consent has been obtained from the customer.
Our Data processing Policy
The Personal data processing Policy provides information on the processing and protection of personal data of Xchange Finance customers, employees and other individuals. In addition to the description of the Policy, more detailed information on the processing of personal data can be included in your service agreements, other documents related to services and on the website.
Who can access these data?
Xchange Finance may share customer data only in the cases:
If the data are required by a public/supervisory authority;
If that is necessary for providing the relevant service by authorized data receivers.
The data receivers authorized by Xchange Finance, i.e., the companies that process the data on behalf of Xchange Finance. Xchange Finance shall take the necessary measures to ensure that the authorized data receivers carry out the customer data processing according to the guidance received from Xchange Finance, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.
How to withdraw your consent
This section explains what to do if you no longer want us to hold or use your personal information.
You can withdraw your consent at any time. Please contact us if you want to do so.
This will only affect the way we use information when our reason for doing so is that we have your consent.
If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.
Letting us know if your personal information is incorrect
You have the right to question any information we have about you that you think is incorrect. We’ll take reasonable steps to check this for you and correct it.
If you want to do this, please write to us or call us.
Calls may be monitored or recorded.
Non-compliance
The “higher maximum amount” is —
in the case of an undertaking, 20 million Euros or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
or
in any other case, 20 million Euros.
The “standard maximum amount” is —
in the case of an undertaking, 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
or
in any other case, 10 million Euros.
The maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given.