The EU Commission adopted an adequacy decision for the UK and thereby confirmed that the UK GDPR provides an equivalent level of protection to that in the EU. What this means for your UK-based company and which obligations you may have despite the adequacy decision will be shown in this article.
Update, March 2025
The European Commission proposed a six-month extension to the current UK data adequacy decisions (see below).
The adequacy decision for the UK
Following Brexit, the UK is now governed by the UK General Data Protection Regulation (UK GDPR), which makes it a third country under the EU General Data Protection Regulation (GDPR). To enable the free flow of data from the EU to a third country, the EU Commission can adopt an adequacy decision according to Article 45 GDPR.
On 28 June 2021 the EU Commission formally adopted such an adequacy decision for the UK, confirming that the UK has a data protection level equivalent to the EU level of protection. On this basis, data can continue to flow from the EU to the UK.
Data transfers between the EU and the UK under the adequacy decision
The adequacy decision of the EU Commission confirmed an equivalent data protection level under the UK GDPR. This enables UK-based companies to receive data from the EU without having to implement further safeguards.
The adequacy decision only includes an exception for data that is transferred for the purpose of UK immigration control or where the UK immigration exemption in the UK DPA 2018 applies. To transfer data covered by the exception from the EU to the UK, other safeguards provided by the GDPR (see Art. 46) must be used by the EU entities transferring the data in order to ensure an adequate level of protection. The most common tool are Standard Contractual Clauses adopted by the EU Commission, into which the sender of the data can enter with the receiving UK-based company.
Limited duration of the adequacy decision
UK-based companies should keep in mind that the adequacy decision of the EU Commission contains a so-called “sunset clause” that limits its duration until 27 June 2025. It can be renewed by the EU Commission, provided that the level of data protection in the UK continues to be adequate.
The EU Commission may revise its decision at any time if the UK level of data protection decreases, e.g., caused by a change in UK legislation.
Finally, data subjects or EU data protection authorities might challenge the adequacy decision before the European Court of Justice (ECJ), which could lead to the overturning of the decision. In any of these cases, safeguards provided by the GDPR (see Art. 46) must be used by the sender of the data to ensure an equivalent level of protection and to legally transfer data from the EU to UK-based companies.
EU proposes six-month extension to the adequacy decision
On March 27, 2025, the European Commission proposed a six-month extension to the current UK data adequacy decision, originally adopted in 2021. If approved, the extension will maintain the free and secure flow of personal data from the EU to the UK until 27 December 2025.
Why the extension?
The proposed six-month extension aims to maintain uninterrupted data flows while the UK finalises its legislative reform process, particularly regarding the , introduced on 23 October 2024.
During this transitional period, the UK’s current data protection rules – those deemed adequate in 2021 – will continue to apply, ensuring legal certainty for businesses and public authorities operating across borders.
EU Commissioner Michael McGrath, responsible for Democracy, Justice, the Rule of Law, and Consumer Protection, emphasised:
“The adequacy decisions are key to our relationship with the UK. They ensure data can flow freely and safely, which is crucial for trade, justice, and law enforcement cooperation. […] Our proposal will allow the Commission to assess whether to renew these decisions based on a stable legal framework, while keeping data flows to the UK uninterrupted.”
What happens after that?
Once the UK’s legislative process concludes, the European Commission will assess whether the new UK legal framework continues to offer an adequate level of protection for personal data. If the assessment is positive, the Commission is expected to renew the adequacy decisions beyond 2025.
Next steps
The draft extension decisions will now be submitted to the European Data Protection Board (EDPB) for its opinion. This is a standard part of the adoption procedure. If the process concludes without objections, the extension will remain valid until 27 December 2025.
Further obligations for companies under the GDPR and national provisions
Despite the adequacy decision, UK-based companies still have to take into account the provisions of the GDPR. In particular, an EU representative has to be appointed if your company does not have an establishment within the EU. The representative has to be designated in writing in one of the Member States where the data subjects are located. The appointed representative has to be mandated as one of the (or the only) contact persons for supervisory authorities and data subjects on data processing-related issues.
Moreover, UK companies have to comply with national data protection laws of all EU countries in which they operate. All national data protection laws have to be in compliance with the EU GDPR; however, national laws might specify, modify or complement the provisions of the GDPR. See our free data protection comparison for national deviations from the EU GDPR.
Bottom line
For now, organisations transferring personal data from the EU to the UK can continue to operate without changes, as no additional contractual clauses or transfer mechanisms are required.
However, long-term planning should account for the possibility of changes to the adequacy status, depending on the final form of UK data legislation.
