GDPR Policy

GDPR (General Data Protection Regulation) came into force 2018. These regulations focus on ensuring people have more control over their own data and aim to make everything more transparent with a clearer environment in which to operate.

Brexit impact statement as of 08/01/21

MyIdentity is committed to ensuring the lawful, fair and safe processing of data. As listed in our Privacy Policy the data that we collect will be transferred, stored and processed using Amazon Web Servers (AWS) which are held at a destination within the European Economic Area (“EEA”). We remain satisfied that AWS servers offer the highest level of security and are ISO 27001 compliant and we will continue to keep such security measures under review as appropriate.

In respect of this transfer of data from the UK to the EEA (and vice versa) we have determined that this remains appropriate and legitimate in accordance with the current legislation.

The DP Brexit Regulations amend the retained EU law version of the GDPR (which is renamed the “UK GDPR”) and the Data Protection Act 2018 to create a single UK data protection regime for general processing that applies after Brexit. The amended UK data protection legislation provides that transfers from the UK to the EU can continue without additional protections being put in place, as EU countries will be deemed by the UK to have an adequate level of data protection. Our transfers of data to AWS in the EEA are currently fair and lawful on this basis, subject of course to ongoing review.

In respect of the data following back to the UK from the EEA - on 24 December 2020, the UK and the EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31 December 2020 (implemented by the European Union (Future Relationship) Act 2020)

The final provisions of the agreement include an interim provision (bridging mechanism) for transmission of personal data to the UK from the EEA. This is for four months from the agreement entering into force, extended by two months unless one of the parties objects, or, if earlier, until there is an adequacy finding for the UK.

The agreement provides that personal data transfers from the EU/ EEA to the UK can continue without additional safeguards and such transfers are not considered to be a transfer to a third country under EU law provided that the UK's applicable data protection regime continues to apply. The EU Commission is continuing its assessment of adequacy for the UK and both the UK and EU have noted the intention of the Commission to promptly launch the procedure for adoption of adequacy decisions.

If there is no adequacy finding for the UK during the additional transition period (or any further extension), the most likely mechanism to be used for transfers from the EU / EEA to the UK is the use of Standard Contractual Clauses. We are prepared for this potential eventuality and will confirm any necessary steps should this become necessary.

Whilst MyIdentity cannot give any advice regarding GDPR, we are happy to answer any questions relating to our own GDPR process, please email us at support@MyIdentity.org.uk.

Our Terms & Conditions, Privacy Policy and Cookies Policy are available on the www.myidentity.org.uk website.