Companies subject to the EU GDPR and reliant on standard contractual clauses (“SCCs”) to transfer personal data out of the EEA are reminded that the regulatory deadline to update their existing agreements has now passed.
EU GDPR Requirements
To recap, on 4 June 2021, we saw the European Commission adopt new, modernised EU SCCs for the transfer of personal data from the EEA to third countries.
Organisations were afforded a transitional period, which required that they:
- cease using the old SCCs in new contracts by 27 September 2021, and
- transition all existing contracts over to the new EU SCCs by 27 December 2022.
This means that organisations should have now adopted the new EU SCCs in all existing contracts involving international transfers of personal data under the EU GDPR. If they have not already done so, they should prioritise doing so as soon as possible.
UK GDPR Requirements
As the UK is no longer part of the EU, the new EU SCCs are not a valid transfer mechanism under the UK GDPR. However, in March 2022, the UK ICO formally adopted:
- the IDTA, a standalone agreement – similar to (but not the same as) the new EU SCCs – for international data transfers from the UK to third countries;
- the UK Addendum, which can be appended to, and have the effect of modifying, the new EU SCCs so that they work for international data transfers from the UK to third countries.
These were discussed in further detail in our previous article “New UK International Data Transfer Agreement.”
In respect of data transfer arrangements subject to the UK GDPR, contracts entered into prior to 21 September 2022 can rely on old EU SCCs until March 2024 (provided there are no modifications to the data transfer operations under those contracts) but, from now, new contracts must incorporate either the IDTA or the new EU SCCS-plus-UK Addendum-combination.
In Other News
Following Schrems II, businesses – whether subject to the EU GDPR or UK GDPR – relying on SCCs for their data transfers to recipients in third countries are also required to undertake and document transfer risk assessments. SCCs alone are no longer sufficient. Whilst the European Data Protection Board (EDPB) already published recommendations on this topic in June 2021 (which can be accessed here) in respect of restricted transfers subject to the EU GDPR, the ICO only recently published updated guidance on transfer risk assessments in respect of restricted transfers made subject to the UK GDPR, which can be accessed here.
Together with its guidance, the ICO have also published a TRA tool which can be used to help businesses carry out their TRAs. It is worth noting that the ICO have given businesses the option of conducting their assessments in line with the EDPB recommendations: either option is acceptable to the ICO.