Transfers of personal data to the UK and Gibraltar post-Brexit

27 March 2019

The Information Commissioner has announced that on exiting the European Union, the UK and Gibraltar will become third countries for the purposes of the data protection legislation.

Controllers and processors in the Isle of Man cannot transfer personal data to controllers or processors in third counties unless that country has an adequacy finding from the European Commission, or one of the additional safeguards set out in Article 46 of the Applied GDPR is implemented by the Isle of Man controller or processor, or a provision of Part 5 of, or Schedule 10 to, the GDPR and LED Implementing Regulations 2018 applies to the specific transfer.

Those additional obligations would impose further regulatory, and possibly costly, requirements on Isle of Man controllers and processors.

However, on 20 March 2019, Tynwald approved regulations which effectively maintain the ability for Island controllers and processors to transfer personal data to controllers and processors in the UK and Gibraltar post-Brexit without the need for any additional safeguards.

Those regulations will only come into operation if, at the time the United Kingdom (and, by extension, Gibraltar) ceases to be a Member State, the European Commission has not issued an adequacy decision in respect of either or both countries. 

To find out more information, visit the Information Commissioner's website here.