The provisions of Union law on personal data protection applicable at the date of withdrawal will continue to apply to personal data in the United Kingdom processed before the date of withdrawal and pertaining to data subjects in the EU27 or data subjects outside the Union, to the extent that this data is covered by EU law on personal data protection before the date of withdrawal. The data subjects concerned will, for example, continue to have the right to be informed, the right of access, the right to rectification, to erasure, to restriction of processing, to data portability, to object to processing and not to be subject to a decision based solely on automated processing, on the basis of relevant provisions of EU law applicable on the withdrawal date.

The personal data referred to above will be stored no longer than is necessary for the purposes for which the personal data was processed. Where sectorial rules applicable on the date of withdrawal provide for specific maximum mandatory storage periods, the data will be automatically erased upon the expiry of that period. The personal data in question can be transferred to non-EU27 countries and to international organisations only if the transfer is carried out in accordance with the conditions set forth in EU law on personal data protection applicable on the withdrawal date, in particular in Chapter V of Regulation No. 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the General Data Protection Regulation). The data subjects concerned will also be able to enforce their rights in accordance with the relevant provisions of EU law applicable on the withdrawal date, in particular Chapter VIII of the General Data Protection Regulation, for as long as the personal data in question continues to be processed in the United Kingdom after the withdrawal date.

The Withdrawal Agreement provides for a transition period from its entry into force until 31 December 2020. During the transition period, EU law is applicable to, and in the UK subject to, the terms and conditions specified in the Withdrawal Agreement. Article 71 and particularly Articles 72 to 73 of the Withdrawal Agreement deal with the protection of personal data.

Pursuant to the Withdrawal Agreement, during the transition period the EU law on personal data protection shall apply in the UK in respect of processing personal data of data subjects outside the territory of the United Kingdom, provided that the personal data were processed under EU law before the end of the transition period or are processed in the United Kingdom after the transition period under the Withdrawal Agreement. [Article 71 of Withdrawal Agreement]

The provisions of EU law on confidential treatment, restriction of use, storage limitation and requirement to erase data and information shall apply in respect of data and information obtained by authorities or official bodies of or in the United Kingdom or by contracting entities on the basis of the Withdrawal Agreement or before the end of the transition period. [Article 72 of Withdrawal Agreement]

Furthermore, the Withdrawal Agreement provides that the EU shall not treat data and information obtained from the United Kingdom before the end of the transition period, or obtained after the end of the transition period on the basis of the Withdrawal Agreement, differently from data and information obtained from a Member State, on the sole ground of the United Kingdom having withdrawn from the Union. [Article 73 of Withdrawal Agreement]

After the end of the transition period, the United Kingdom will become a third country. Consequently, the Commission will be required to decide whether or not the United Kingdom ensures an adequate level of protection for the protection of personal data. If the Commission finds that the level of protection is not adequate, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided the same appropriate safeguards as required in the case of no-deal Brexit, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.