What does the deadline apply to?
In Autumn 2022, we reported that 22 September 2022 marked the date from which you could no longer use the old EU Standard Contractual Clauses adopted in 2001 and 2010 by the European Commission (the Old EU SCCs) for new contracts transferring personal data outside of the UK under the UK GDPR.
The UK GDPR requires that when personal data is transferred outside of the UK, steps are taken to ensure it is appropriately protected. This is not a new concept and prior to Brexit similar rules applied to transfers of personal data outside of the EU. One of the mechanisms available were the Old EU SCCs.
For contracts entered into before 21 September 2022, you could continue to use the Old EU SCCs for an additional period of time before needing to change to an alternative transfer mechanism. This effectively gave organisations an implementation window during which time they could identify any transfers taking place under the Old EU SCCs and then assess those transfers to implement an alternative mechanism.
What is the final deadline for use of the Old EU SCCs in the UK?
The deadline is 21 March 2024. After this date the Old EU SCCs are no longer compliant in the UK.
What do you need to know about the deadline?
If you have a contract where personal data is being transferred outside of the UK under the UK GDPR under the Old EU SCCs you need to consider how you achieve compliance with the cross border transfer requirements.
For contracts where such transfers are continuing after 21 March 2024 you need to find an alternative means of achieving compliance. This may mean replacing the Old EU SCCs with either of the tools now approved by the UK Government, namely: (i) the UK International Data Transfer Agreement (IDTA); or (ii) the UK Addendum to the new EU Standard Contractual Clauses issued in June 2021 (UK Addendum). The UK Addendum and IDTA are not the only mechanisms for achieving compliance so it is important to properly assess the transfer to ensure the most appropriate route is taken.
What do you need to do next?
As a priority you should:
- Identify all of the existing contracts you have in place that involve the transfer of personal data outside of the UK and which rely on the Old EU SCCs. Once you have done this, you can start to assess the scale of the project and what the most appropriate alternative is to achieve compliance.
- Where necessary, carry out a transfer risk assessment (TRA). This is a requirement when entering into a contract based on the IDTA or the UK Addendum. The ICO has issued guidance on how to carry out a TRA.
- Conclude new contracts or vary existing contracts to incorporate the UK Addendum or IDTA.
What do you need to know about the IDTA and the UK Addendum?
The IDTA addresses the UK GDPR’s cross border transfer requirements and can be used regardless of the roles of the parties (eg whether personal data is being transferred outside of the UK by a controller or a processor).
The UK Addendum effectively amends the new EU Standard Contractual Clauses (published by the European Commission in June 2021 to be used for compliance with the EU GDPR) so that they can be used to comply with the UK GDPR. The UK Addendum is an alternative to the IDTA, amending the new EU SCCs and enabling them to be used for making international transfers of personal data from the UK. The UK Addendum has different modules which can be used depending on the role of the parties. The UK Addendum also includes the contractual provisions for processor contracts (the Article 28 terms) which are required by the UK GDPR (in contrast to the IDTA).
How can WBD help you?
Assessing transfers to determine the most appropriate next step can be complex particularly in light of the detailed guidance that has been issued. The guidance now clearly defines which of the parties to an arrangement are responsible for ensuring transfers comply with the UK GDPR. It is also important to have correctly assessed the roles of the parties from a data protection perspective to ensure that the UK Addendum is completed correctly or any additional provisions which are needed to supplement the IDTA are also put in place.
The team at Womble Bond Dickinson has significant experience of advising on compliance relating to cross border transfers of personal data and can support you with transitioning from the Old EU SCCs to the most appropriate alternative. Please get in touch using the details above if you have any queries.