Important deadlines for companies transferring personal data out of the EU and UK
The New Standard Contractual Clauses
On 4 June 2021 the European Commission adopted the New Standard Contractual Clauses (New SCCs), a primary mechanism for lawfully transferring personal data outside the EU.
The deadline for updating existing data transfer agreements based on the old Standard Contractual Clauses (Old SCCs) is approaching. By 27 December 2022 data transfer agreements must be updated to incorporate the New SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged.
This is no small undertaking, particularly as the New SCCs impose a number of additional obligations on businesses. The New SCCs can be used as an appropriate safeguard when transferring personal data of UK or EU data subjects to third countries if a Data Transfer Impact Assessment (DTIA) has been carried out. A DTIA involves conducting an analysis to determine whether the privacy protections afforded by the proposed third country to which the personal data is being transferred meets EU/UK standards. The DTIA must be carried out before the transfer of personal data occurs.
UK requirements: IDTA and the Addendum
Post-Brexit, the New SCCs alone are not a valid transfer mechanism under the UK GDPR (as they were adopted after Brexit).
In February 2022 the UK Information Commissioner Officer adopted (i) the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers (UK Addendum), which is to be appended to the New SCCs to satisfy legal requirements for making personal data transfers from the UK to third countries; and (ii) the International Data Transfer Agreement (IDTA), which is a stand-alone agreement that can be used when transfers of personal data are occurring from the UK to third countries and the New SCCs are not being used. The UK Addendum and the IDTA are essentially the UK versions of the New SCCs clauses. Until now, organisations have been using the Old SCCs to make such personal data transfer from the UK.
Organisations will be able to use the IDTA or the UK Addendum as a transfer mechanism to comply with the requirement under Art. 46 of the UK GDPR to provide “appropriate safeguards” for personal data when it is transferred from the UK to countries which are not covered by the UK’s “adequacy regulations” (i.e. broadly countries other than the EEA countries, Gibraltar and countries covered by the European Commission’s adequacy decisions).
Various considerations will determine whether businesses should adopt the UK Addendum or the IDTA. Large multinational organisations may want to go down the UK Addendum route simply because they may already be using the New SCCs for data transfers from the EU. On the other end, the IDTA may be the preferred option for organisations which are only UK based and only process data to which the UK GDPR applies.
From 21 September 2022, all new agreements that govern the transfer of personal data subject to an appropriate safeguard must use either the UK Addendum alongside the New SCCs, or the IDTA. All existing agreements relating to UK personal data transfers will remain valid until 21 March 2024, at which point the existing agreements including the old SCCs must be replaced with the IDTA or the UK Addendum.
The requirement to carry out a DTIA is also applicable under UK law.
It is worth mentioning that, whilst the New SCCs (when module controller to processor is used) already incorporate the article 28 GDPR Requirements with the effect that it is not necessary that a separate data processing agreement is entered into, this is not currently the case with the IDTA.
Key dates to note
21 September 2022 – all new UK data transfer agreements should append the UK Addendum or IDTA.
27 December 2022 –all contracts appending old SCCs to be updated with the New SCCs.
21 March 2024 - all existing transfer agreements for UK transfers to append the UK Addendum or IDTA. Transfer arrangements that use the Old SCCs will continue to be valid Until 21 March 2024 (provided that the processing operations remain unchanged).
What should businesses be doing?
Companies should do an inventory of all data transfers out of the EU and UK and assess the status of the data transfer clauses in those contracts. If you require any assistance, please contact Irene Trubbiani Montagnac or another member of the GDPR team.
Contact our GDPR team
From prevention to data breach management and recovery, we can help solve your data protection issues effectively to mitigate the financial, administrative and reputational consequences for your business.