ARTICLE
5 April 2024

The Final Week For Personal Data Transfers Relying On The EU Standard Contractual Clauses

EL
Ellisons Legal

Contributor

Ellisons Legal logo

Established for 260 years, Ellisons is a top 200 UK law firm and one of the region’s oldest, most established and fastest growing firms. We have a proven track record of providing clients with first class service and advice, enabling them to make the right decisions.

We advise businesses and individuals across the UK and beyond – aided by our membership of the Alliott Global Alliance (a worldwide alliance of professional firms). You can find our offices across Essex and Suffolk in Colchester, Chelmsford, Ipswich, Bury St Edmunds, Frinton-on-Sea and London.

Explore Firm Details
The EU standard contractual clauses / model clauses ("SCCs") were introduced in 1995 in the EU Data Protection Directive and became the primary means for organisations to share personal...
European Union Privacy
Rachel Frost

The EU standard contractual clauses / model clauses ("SCCs") were introduced in 1995 in the EU Data Protection Directive and became the primary means for organisations to share personal data outside of the European Economic Area ("EEA") with countries that were not deemed to have adequate standards in relation to processing personal data (known as "Restricted Transfers"). The SCCs were useful as parties could quickly implement an EU Commission-approved set of terms to facilitate international data transfers due to the fact that the SCCs could not be negotiated by the parties.

With the introduction of the GDPR in 2018, it became apparent that the SCCs were no longer fit for purpose and on 22 September 2022, UK organisations were prohibited from entering into any new agreements using the SCCs.

A grace period for existing contracts that incorporated the SCCs (entered before 21 September 2022) was permitted before the parties had to change to an alternative transfer mechanism. However, this transition period is due to expire on 21 March 2024 – less than one week away.

Next Steps

  1. Review your contracts which relate to the processing of personal data to see if the rely on the SCCs to transfer personal data outside of the UK / EEA.
  2. Amend existing contracts to incorporate a new personal data transfer mechanism. Following 21 March 2024, UK organisations will need to either use the:
  • A) UK International Data Transfer Agreement ("IDTA"); or
  • B) UK Addendum to the new EU SCCs ("UK Addendum"). The new EU SCCs were issued by the European Commission on 4 June 2021, but they cannot be used alone for Restricted Transfers under the UK GDPR. Consequently, the UK Addendum will be required in order to ensure that you are compliant.

It is worth checking if the country receiving personal data has an 'adequacy' decision or if the other party is registered under the recent UK-US Data Bridge (for US data transfers), as this may negate the need for the IDTA or UK Addendum.

  1. Conduct a Transfer Risk Assessment ("TRA") where a Restricted Transfer occurs. This will be needed each time you implement the IDTA or the UK Addendum in relation to a country with inadequate data protection laws (as determined by the UK Government). Please note that the ICO provides a TRA tool to assist with making the assessment.
  2. Update your templates to ensure that the old SSCs are not referenced going forwards.

Our Data Protection Solicitors are available if you would like assistance with any of the above requirements and we are always happy to talk through your Data Protection compliance requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rachel Frost
Rachel Frost
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More