Contributors
22 September 2022 marked the date from which you can no longer use the old EU Standard Contractual Clauses adopted in 2001 and 2010 (the Old EU SCCs) for new contracts transferring personal data outside of the UK under the UK GDPR.
The UK GDPR requires that when personal data is transferred outside of the UK, steps are taken to ensure it is appropriately protected. This is not a new concept and prior to Brexit similar rules applied to transfers of personal data outside of the EU. One of the mechanisms available were the old EU SCCs.
From 22 September 2022 new contracts involving a transfer of personal data outside the UK will need to use an alternative to the old EU SCCs. In March 2022, the UK Government published its replacement of the old EU SCCs.
What does this mean for new contracts?
For new contracts entered into after the 22 September 2022 involving the transfer of personal data outside of the UK these should not be entered into on the old EU SCCs. Instead, you will need to consider an alternative mechanism to achieve compliance. There are variety of mechanisms available but the direct replacements for the old EU SCCs are now:
- The International Data Transfer Agreement (IDTA), the IDTA addresses the UK GDPR’s cross border transfer requirements and can be used regardless of the roles of the parties (e.g. whether personal data is being transferred outside of the UK by a controller or a processor)
- The UK Addendum, the UK Addendum effectively amends the new EU Standard Contractual Clauses (published by the European Commission in June 2021) so that they can be used to comply with the UK GDPR. The UK Addendum is an alternative to the IDTA, amending the new EU SCCs and enabling them to be used for making international transfers of personal data from the UK. The UK Addendum has different modules which can be used depending on the role of the parties. The UK Addendum also includes the contractual provisions for processor contracts (the Article 28 terms) which are required by the UK GDPR (in contrast to the IDTA).
What does this mean for any existing contracts which use the old EU SCCs?
Those contracts made on or before 21 September 2022 using the old EU SCCs will only be valid until 21 March 2024, thereafter they will need to be replaced by the IDTA or the UK Addendum (if there is no alternative mechanism which can be used).
What if I make changes to the way personal data is used under an existing contract which uses the old EU SCCs?
You will need to update the contract to use the IDTA or UK Addendum (if there is no alternative mechanism which can be used).
What should we be doing?
- Update any template documents you use to ensure they incorporate one of the new transfer tools (e.g. the IDTA or UK Addendum) or make sure you satisfy the UK GDPR cross border transfer requirements in another way.
- Don't enter into any new contracts which refer to the Old EU SCCs.
- Identify all of the existing contracts you have in place that involve the transfer of personal data outside of the UK and which rely on the Old EU SCCs. Once you have done this, you can start to assess the scale of the project and which of the UK Addendum or IDTA is the best document for you to use as a replacement.
The ICO has promised further guidance on the transfer tools so watch this space for further developments and detail on how the IDTA and Addendum should be used.
We have a dedicated privacy team with years of experience advising on cross border transfer compliance. If you have any queries on the above or would like further advice/support, please get in touch.
