Data protection law in the UK after Brexit 2020

Here are the overall changes to UK law after Exit Day –

  • The EU’s GDPR has been amended into a new “UK-GDPR” (United Kingdom General Data Protection Regulation) that took effect on January 31, 2020.
  • The Data Protection Act 2018 has been amended to be read in conjunction with the new UK-GDPR instead of the EU GDPR.
  • The European GDPR will apply to the UK in the transition period lasting from January 31, 2020 until December 31, 2020 (unless further extensions are agreed upon between the UK and EU).
  • It is likely that the UK government will move to consolidate the two amended laws (UK-GDPR and Data Protection Act 2018) into one, comprehensive piece of data protection law at a later point.
  • All the main principles, obligations and rights remain in place.

What is UK GDPR?

The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, only changed to accommodate domestic areas of law.

It was drafted from the EU GDPR law text and revised so as to read United Kingdom instead of Union and domestic law rather than EU law. This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjectscontroller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.

Is UK GDPR the same as EU GDPR?

UK-GDPR expands and changes the European GDPR The areas expanded on by the UK-GDPR are:

  • National security
  • Intelligence services
  • Immigration

These areas are per definition outside the scope of the European GDPR, since it is an extra-national regulation from the EU without powers to govern matters of national security in member states.

However, the UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.

Another big change in the UK-GDPR is that the Information Commissioner, the leading data protection authority in the UK today, will become the leading supervisor, regulator and enforcer of the UK-GDPR.

It means that where before under EU GDPR, the European Data Protection Board would have been the highest supervisory authority, the ICO now takes over all matters relating to regulation and enforcement of the UK-GDPR.

Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR.

Furthermore, when the UK-GDPR came into effect on January 31, 2020, it automatically recognized all EU countries as adequate, along with recognizing all existing EU adequacy decisions as UK adequate as well (e.g. the US Privacy Shield).

And lastly, a notable difference from the European GDPR to the new domestic UK-GDPR is that the age of valid consent is lowered to 13 years in the UK (16 years in the EU).

How personal data are processed by Bilderlings?

Bilderlings process data only for specific purposes and the data are not stored for longer than necessary. Bilderlings maintains the data, which is necessary for providing the services selected by the customer and Bilderlings is able to deliver it to the customer.

Bilderlings processes personal data in one or more of the cases mentioned below:

  • for signing and executing the agreement;
  • requested by the law;
  • for pursuing legitimate (lawful) interests;
  • the consent has been obtained from the customer.

Our Data processing Policy

The Personal data processing Policy provides information on the processing and protection of personal data of Bilderlings customers, employees and other individuals. In addition to the description of the Policy, more detailed information on the processing of personal data can be included in your service agreements, other documents related to services and on the website.

Who can access these data?

Bilderlings may share customer data only in the cases: 

  • If the data are required by a public/supervisory authority;
  • If that is necessary for providing the relevant service by authorized data receivers —

The data receivers authorized by Bilderlings, i.e., the companies that process the data on behalf of Bilderlings. Bilderlings shall take the necessary measures to ensure that the authorized data receivers carry out the customer data processing according to the guidance received from Bilderlings, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.

The list of authorized data receivers:

  • For ensuring card payments (as acquirer) – BluOr Bank AS (Reg.Nr. 40003551060, Smilšu street 37, LV-1050, Rīga)
  • For ensuring card services – Call Centre (transaction logs, balance, blocking) – BPO Services LTD (Reg.Nr. 50103796361, Kr. Valdemāra iela 8, Rīga, LV-1010, Latvia)
  • For ensuring card services (card embossing and delivery) – EVRY Card Services Baltijas Filiāle (Reg.Nr. 40103476464 , Biekensalas iela 21, Rīga, LV-1004, Latvia)
  • For data storage and email services Google Workspace – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, VAT number: IE 6388047V
  • For customer resource management – INC. (Reg.Nr. The Landmark @ One Market street, San Francisco, CA 94105, USA)
  • For maintenance of accounting and personnel accounting system – SIA “Visma Enterprise” (Reģ.nr. 40003734170, Sporta iela 11, Rīga, LV-1013)
  • For maintaining compliance with the law and the regulatory requirements – Professional advisors (including lawyers and auditors)
  • For maintaining compliance with the law and the regulatory requirements – European based certified partners providing AML KYC and risk management systems
  • To distribute commercial offers and marketing materials – Intuit Inc. 2700 Coast Avenue, Mountain View, CA 94043, USA
  • For preparation of insurance proposals – Compensa Vienna Insurance Group ADB, Vienības gatve 87H, Rīga LV-1004 Reģ. Nr.: 40103942087
  • For providing multi-factor authorisation and signature – Twilio Inc., Twilio Inc., San Francisco, CA 94105, USA


The “higher maximum amount” is —

  • in the case of an undertaking, 20 million Euros or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
  • in any other case, 20 million Euros.

The “standard maximum amount” is —

  • in the case of an undertaking, 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher,
  • in any other case, 10 million Euros.

The maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given.

If you have any queries about data processing at Bilderlings,
send us an email to: 
[email protected]