Businesses should update their existing contractual agreements to the new SCCs by 27 December 2022. It would be sensible to have a data privacy lawyer review any cross-border personal data transfers.
The New Standard Contractual Clauses
As you may recall from our previous advisory, "The European Commission Implements New Standard Contractual Clauses" (which you can read here), existing data sharing contracts that include the old standard contractual clauses ("SCCs") will only remain valid until 27 December 2022. By this date, these contracts must be updated to incorporate the new SCCs that were adopted on 4 June 2021 by the European Commission.
The SCCs can be used as an appropriate safeguard when transferring personal data of UK or EU data subjects to third countries, if a Data Transfer Impact Assessment ("DTIA") has been carried out. A DTIA involves conducting an analysis to determine whether the privacy protections afforded by the proposed third country to which the personal data is being transferred meets EU/UK standards. The DTIA must be carried out before the transfer of personal data occurs.
New UK Requirements for International Data Transfer Requirements: IDTA and the Addendum
Following Brexit, the new EU SCCs are not valid as a transfer mechanism under the UK General Data Protection Regulation ("GDPR").
On 2 February 2022, the UK Information Commissioner's Office adopted: (i) the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers (the "UK Addendum"), which is to be appended to the new EU SCCs to satisfy legal requirements for making personal data transfers from the UK to third countries; and (ii) the International Data Transfer Agreement ("IDTA"), which is a stand-alone agreement that can be used when transfers of personal data are occurring from the UK to third countries and the SCCs are not being used.
From 21 September 2022, all new agreements that govern the transfer of personal data subject to an appropriate safeguard must use either the UK Addendum alongside the SCCs, or the IDTA. All existing agreements relating to UK personal data transfers will remain valid until 21 March 2024, at which point the existing agreements including the old EU SCCs must be replaced with the IDTA or the Addendum.
Please also note, the requirement to carry out a DTIA is also applicable under UK law.
- Deadline – 21 September 2022 – Ensure all new data transfer agreements append the UK Addendum or IDTA.
- Deadline – 27 December 2022 – Update all contracts appending old SCCs.
- Deadline – 21 March 2024 – Ensure all existing agreements append the UK Addendum or IDTA.
- Deadlines as above – Ensure all actions above are accompanied by an up-to-date DTIA.
We Can Help You
The deadline to update the SCCs is fast approaching; we can also take this opportunity to help ensure your contracts comply with UK requirements and include the UK Addendum or IDTA. We can also assist with carrying out DTIAs and ensuring your data transfers are GDPR compliant.
If you think you may need to review your data transfer practices, please let us know and we would be happy to assist you with this.
Nicole Akinyemi, a paralegal in the Financial Markets and Funds practice, contributed to this advisory.