<tangent>
Ooh, interesting point. Does this mean the UK has to comply with the GDPR for the time being, but after March 2019 they can blithely disregard it again? It hardly seems worth it.
</tangent>
It would never be a German regulator, would it? That is, the individual person might happen to be German, because you have to be something, but they'd be taking action in an EU-regulator capacity.

Does this mean the UK has to comply with the GDPR for the time being, but after March 2019 they can blithely disregard it again?

No. It doesn't matter if the UK is still or not in the EU. The GDPR applies no matter the country; and considering that the UK will keep a close relationship with the EU, the GDPR will apply to UK companies indifferently from now.

Also, the UK ICO is heavily involved in the GDPR, so they'll continue to apply it.

Off-topic, I doubt the UK will leave in 2019. I bet the date will be pushed - [m.newstimes.com...]

I've noticed a migration of UK companies to my datacenter in the US (which is GDPR compliant as well as a Privacy Shield company for data storage.)

I mention this in relation to the topic since there must be something uncertain in UK compliance right now.

All this is not telling who is in charge, in case of an issue. I guess that a citizen can fill a complain at his national regulator, which will forward the complain to the regulator of the country where the company running the site is registered.

Well, that is an excellent question. Here are the two conflicting rules:

Art 56(1) [gdpr-info.eu]

Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

Art 77(1) [gdpr-info.eu]

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

From which I take that the Data Subject can complain to its supervisory body, but the Controller/Processor's body is in charge.

Well, that is an excellent question

.

Thank you, and thank you for your answer.

Ooh, interesting point. Does this mean the UK has to comply with the GDPR for the time being, but after March 2019 they can blithely disregard it again? It hardly seems worth it.

like all things political it's complicated, but actually the way it works as i understand it, is that the eu come up with various ideas/laws which the member governments then have to enshrine into their own law.
thus it is British law and on leaving the eu, it will still be british law unless it is repealed (which is obviously pretty unlikely)
any lawyers feel free to correct me, but this is how it works, not just for GDPR but all the EU stuff.

Actually, we don't know yet.

The European Union (Withdrawal) Bill is still in Parliament, being amended by all and sundry.

As originally drafted, the whole Acquis would be transferred to UK law, with the Executive given powers to amend make amendments to preserve the meaning. (e.g. drop refs to the ECJ, EU Commission and EU Directives, replace with UK Supreme Court, Parliament, UK Statutes), but that is hard to draft as a law. As such, the original wording meant the Executive could make sweeping, substantive edits without being accountable to the legislature. So, amends.

In the meantime, there is a sustained campaign by some "rebel" Tories, the Lords, and apparently some Civil Servants to keep the UK as close to the EU as possible, including remaining in the Single Market and possibly "a" customs union ("the" customs union being reserved for EU member states under the Common Commercial Policy). This might mean the GDPR remains directly in force, rather than copied and followed.

For the record, the ICO says the GDPR will remain in force in any case.

the eu come up with various ideas/laws which the member governments then have to enshrine into their own law.

That's true of Directives, but not Regulations.

The "cookie law" is under the ePrivacy Directive, and therefore does not have direct force.

There will be a ePrivacy Regulation soon (intended to be simultaneous with GDPR, but was held). The GDPR is a regulation, with direct force in law in all member states.

any lawyers

Full disclosure; I am not a lawyer

Full disclosure; I am not a lawyer

Considering your knowledge on the GDPR/ePrivacy stuff, I would prefer to be represented by you, than by a real lawyer.

Thanks QuaterPan!

thanks Shaddows, you seem to be very well informed in these matters!

you seem to be very well informed in these matters!

I agreed. Also Shaddows makes the effort to quote articles to support his arguments. This is greatly appreciated, thank you again !