If a pension scheme wants to transfer personal data outside the UK to a country not considered by the UK government to offer an adequate level of data protection (a restricted transfer)1, appropriate safeguards must be put in place for that transfer unless one of the limited exemptions under the UK General Data Protection Regulation (UK GDPR) applies2. One safeguard is to include "standard contractual clauses" (SCCs) in the contract under which data will be transferred outside the UK.
In 2022, the UK Information Commissioner's Office introduced changes to the SCCs that can be used. From 21 September 2022, new contracts under which parties make restricted transfers must include one of the following:
- An international data transfer addendum to the SCCs produced by the European Commission (the UK Addendum).
- An international data transfer agreement (the IDTA).
However, the changes are not just confined to new contracts. All existing contracts must be updated by 21 March 2024 to include one of the above safeguards.
What does this mean for trustees?
Advisers and service providers who make restricted transfers on behalf of trustees - Although there might be limited circumstance in which trustees make restricted transfers themselves, advisers and service providers who process data on the trustees' behalf may well do so. Trustees should therefore ensure that suitable contractual commitments are in place with their advisers/service providers whereby they must notify the trustees of any restricted transfer, and confirm they have entered into and are complying with the UK Addendum or the IDTA for those transfers. However, trustees will not need to enter into the UK Addendum or the IDTA directly if they are not making the restricted transfer themselves.
Trustees who make restricted transfers themselves - In circumstances where trustees themselves make a restricted transfer, such as to a branch of a service provider established in a country not considered to offer an adequate level of data protection, trustees will need to ensure that they either:
- Transfer the data to a UK branch of the service provider and ask the UK branch to transfer the personal data to the branch outside the UK.
- Enter into appropriate safeguards with the non-UK branch for the restricted transfer. Where those safeguards take the form of inclusion of SCCs in the contract with the adviser/service provider, trustees will need to ensure that the contract includes either the UK Addendum or the IDTA by 21 March 2024.
Risk assessment - Trustees relying on the UK Addendum or the IDTA for restricted transfers because they make the restricted transfer themselves must also carry out a transfer risk assessment3 to ensure that the contractual safeguards in the UK Addendum or the IDTA are not undermined by the laws and practices in the country of the data recipient. Importantly, trustees will not be required to conduct a transfer risk assessment if their adviser or service provider is making the restricted transfer. For this reason there is benefit in trustees ensuring that they first transfer the personal data to a UK service provider before the service provider transfers the personal data outside the UK. For more detail on transfer risk assessments under the UK GDPR, please see our data protection colleagues' legal update.
1. The UK government has recognised the following countries and territories as offering an adequate level of data protection: member states of the European Economic Area, Andorra, Argentina, Canada (organisations subject to Canada's Personal Information Protection and Electronic Documents Act only), Gibraltar, Guernsey, Isle of Man, Israel, Japan (private sector organisations only), Jersey, New Zealand, South Korea, Switzerland and Uruguay.
2. Appropriate safeguards do not have to be implemented if one of the limited exemptions under Article 49 UK GDPR applies, such as the transfer being necessary for the "establishment, exercise or defence of legal claims".
3. Also known as a transfer impact assessment.
Originally published September 12 2023
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.