The Final Week For Personal Data Transfers Relying On The EU Standard Contractual Clauses

EL
Ellisons Legal

Contributor

Ellisons Legal
The EU standard contractual clauses / model clauses ("SCCs") were introduced in 1995 in the EU Data Protection Directive and became the primary means for organisations to share personal...
European Union Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

The EU standard contractual clauses / model clauses ("SCCs") were introduced in 1995 in the EU Data Protection Directive and became the primary means for organisations to share personal data outside of the European Economic Area ("EEA") with countries that were not deemed to have adequate standards in relation to processing personal data (known as "Restricted Transfers"). The SCCs were useful as parties could quickly implement an EU Commission-approved set of terms to facilitate international data transfers due to the fact that the SCCs could not be negotiated by the parties.

With the introduction of the GDPR in 2018, it became apparent that the SCCs were no longer fit for purpose and on 22 September 2022, UK organisations were prohibited from entering into any new agreements using the SCCs.

A grace period for existing contracts that incorporated the SCCs (entered before 21 September 2022) was permitted before the parties had to change to an alternative transfer mechanism. However, this transition period is due to expire on 21 March 2024 – less than one week away.

Next Steps

  1. Review your contracts which relate to the processing of personal data to see if the rely on the SCCs to transfer personal data outside of the UK / EEA.
  2. Amend existing contracts to incorporate a new personal data transfer mechanism. Following 21 March 2024, UK organisations will need to either use the:
  • A) UK International Data Transfer Agreement ("IDTA"); or
  • B) UK Addendum to the new EU SCCs ("UK Addendum"). The new EU SCCs were issued by the European Commission on 4 June 2021, but they cannot be used alone for Restricted Transfers under the UK GDPR. Consequently, the UK Addendum will be required in order to ensure that you are compliant.

It is worth checking if the country receiving personal data has an 'adequacy' decision or if the other party is registered under the recent UK-US Data Bridge (for US data transfers), as this may negate the need for the IDTA or UK Addendum.

  1. Conduct a Transfer Risk Assessment ("TRA") where a Restricted Transfer occurs. This will be needed each time you implement the IDTA or the UK Addendum in relation to a country with inadequate data protection laws (as determined by the UK Government). Please note that the ICO provides a TRA tool to assist with making the assessment.
  2. Update your templates to ensure that the old SSCs are not referenced going forwards.

Our Data Protection Solicitors are available if you would like assistance with any of the above requirements and we are always happy to talk through your Data Protection compliance requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

The Final Week For Personal Data Transfers Relying On The EU Standard Contractual Clauses

European Union Privacy

Contributor

Ellisons Legal
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More