The European Commission has granted the UK access to EU data in a key decision that will have significant bearing on post-Brexit relations.

The commission has now formally recognised that UK data protection rules are "adequate" and that personal data can therefore flow from the EU to the UK.

In a statement, the commission said the data would benefit "from an essentially equivalent level of protection to that guaranteed under EU law".

The so-called "adequacy" decision has been adopted under two pieces of EU law. These are the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

The "adequacy" decision is limited to four years and will be reviewed under a so-called sunset clause.

This means the decision will expire at that point and will have to be reinstated, provided the EU is satisfied that a sufficient degree of data protection remains.

European Commission vice-president for Values and Transprency Vera Jourová said: "The UK has left the EU but today its legal regime of protecting personal data is as it was.

"Because of this, we are adopting these adequacy decisions today.

"At the same time, we have listened very carefully to the concerns expressed by the parliament, the member states and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK's privacy framework."

She added: "We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene."

EU Justice Commissioner Didier Reynders said: "After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK.

"This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime."

The commission said the UK's data protection system continues to be based on the same rules that were applicable when the UK was a member state, and that the UK had "fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system".

It said there were strong safeguards in UK law to protect citizens' data when it came to the authorities accessing that data for national security reasons.

"In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal," the commission said.

The commission statement said the UK was still subject to the jurisdiction of the European Court of Human Rights and would have to adhere to both the European Convention of Human Rights and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

The adequacy decision does not cover UK immigration control due to a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area.

The EU-UK Trade and Cooperation Agreement (TCA) includes a commitment by both sides to uphold high levels of data protection.