September 28, 2022

Important deadlines for companies transferring personal data out of the EU and UK

Posted in GDPR
Author
Author headshot image
Irene Trubbiani Montagnac
Associate
More Articles

The New Standard Contractual Clauses

On 4 June 2021 the European Commission adopted the New Standard Contractual Clauses (New SCCs), a primary mechanism for lawfully transferring personal data outside the EU.

The deadline for updating existing data transfer agreements based on the old Standard Contractual Clauses (Old SCCs) is approaching. By 27 December 2022 data transfer agreements must be updated to incorporate the New SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged.

This is no small undertaking, particularly as the New SCCs impose a number of additional obligations on businesses. The New SCCs can be used as an appropriate safeguard when transferring personal data of UK or EU data subjects to third countries if a Data Transfer Impact Assessment (DTIA) has been carried out. A DTIA involves conducting an analysis to determine whether the privacy protections afforded by the proposed third country to which the personal data is being transferred meets EU/UK standards. The DTIA must be carried out before the transfer of personal data occurs.

UK requirements: IDTA and the Addendum

Post-Brexit, the New SCCs alone are not a valid transfer mechanism under the UK GDPR (as they were adopted after Brexit).

In February 2022 the UK Information Commissioner Officer adopted (i) the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International Data Transfers (UK Addendum), which is to be appended to the New SCCs to satisfy legal requirements for making personal data transfers from the UK to third countries; and (ii) the International Data Transfer Agreement (IDTA), which is a stand-alone agreement that can be used when transfers of personal data are occurring from the UK to third countries and the New SCCs are not being used. The UK Addendum and the IDTA are essentially the UK versions of the New SCCs clauses. Until now, organisations have been using the Old SCCs to make such personal data transfer from the UK.

Organisations will be able to use the IDTA or the UK Addendum as a transfer mechanism to comply with the requirement under Art. 46 of the UK GDPR to provide “appropriate safeguards” for personal data when it is transferred from the UK to countries which are not covered by the UK’s “adequacy regulations” (i.e. broadly countries other than the EEA countries, Gibraltar and countries covered by the European Commission’s adequacy decisions).

Various considerations will determine whether businesses should adopt the UK Addendum or the IDTA. Large multinational organisations may want to go down the UK Addendum route simply because they may already be using the New SCCs for data transfers from the EU. On the other end, the IDTA may be the preferred option for organisations which are only UK based and only process data to which the UK GDPR applies.
From 21 September 2022, all new agreements that govern the transfer of personal data subject to an appropriate safeguard must use either the UK Addendum alongside the New SCCs, or the IDTA. All existing agreements relating to UK personal data transfers will remain valid until 21 March 2024, at which point the existing agreements including the old SCCs must be replaced with the IDTA or the UK Addendum.

The requirement to carry out a DTIA is also applicable under UK law.

It is worth mentioning that, whilst the New SCCs (when module controller to processor is used) already incorporate the article 28 GDPR Requirements with the effect that it is not necessary that a separate data processing agreement is entered into, this is not currently the case with the IDTA.

Key dates to note

21 September 2022 – all new UK data transfer agreements should append the UK Addendum or IDTA.

27 December 2022 –all contracts appending old SCCs to be updated with the New SCCs.

21 March 2024 - all existing transfer agreements for UK transfers to append the UK Addendum or IDTA. Transfer arrangements that use the Old SCCs will continue to be valid Until 21 March 2024 (provided that the processing operations remain unchanged).

What should businesses be doing?

Companies should do an inventory of all data transfers out of the EU and UK and assess the status of the data transfer clauses in those contracts. If you require any assistance, please contact Irene Trubbiani Montagnac or another member of the GDPR team.

Contact our GDPR team

From prevention to data breach management and recovery, we can help solve your data protection issues effectively to mitigate the financial, administrative and reputational consequences for your business.

Our GDPR team

View more articles in this area:

Podcast  |  30:11:23
Ransomware: to pay, or not to pay? | Legal Thinking Podcast
In this episode we speak to Carl Selby and Fran Tremeer, following their 'When, Not If' Cybersecurity report, about how businesses should respond when they're the victim of a ransomware attack.
Employee data
Opinion  |  08:06:23
Subject access request 101: ICO’s guidance for employers
On 24 May 2023, the Information Commissioner’s Office (‘ICO’) published new guidance for employers on how to deal with a Subject Access Request (‘SAR’).
Opinion  |  17:04:23
TikTok’s fine: what it means for businesses, and how you can avoid the same mistakes
TikTok has rapidly become very popular as a social media platform. Despite its success, it has received one of the largest fines ever issued by the Information Commissioner’s Office (ICO) for misusing children’s data....
Opinion  |  19:12:22
EU-US Data Privacy Framework – what you need to know now the draft adequacy decision has been published
Irene Trubbiani Montagnac explains what you need to know following the draft adequacy decision that comes as part of the EU-US Data Privacy Framework, which replaces the Privacy Shield.
Opinion  |  28:09:22
Important deadlines for companies transferring personal data out of the EU and UK
The New Standard Contractual Clauses On 4 June 2021 the European Commission adopted the New Standard Contractual Clauses (New SCCs), a primary mechanism for lawfully transferring personal data outside the EU. The deadline for...
IDTA
Opinion  |  03:08:22
Time is running out – deadline for the old EU standard contractual clauses draws near
On 21 March 2022 the International Data Transfer Agreement (“IDTA”) and the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (the “Addendum”) came into force.
Opinion  |  24:06:22
Government proposes to shake up data protection regime
On 17 June 2022 the Department for Digital, Culture, Media & Sport (“DCMS”) issued a press release announcing the new data laws that would take effect as a result of the planned Data Reform...
Employee data
Opinion  |  15:06:22
Data Subject Access Requests – navigating employee data rights
Under the Data Protection Act 2018 employees have the right to obtain their personal data that is being processed by their employer. Making this request is known as a data subject access request (“DSAR”).
Opinion  |  13:05:22
Data Reform Bill 2022 – what is its purpose?
The introduction of a Data Reform Bill was among the Government’s proposed legislative plans delivered during the Queen’s Speech on 10 May 2022. This introduction will update the powers of the Information Commissioner’s Office...

View more articles related to GDPR

Share on:
View more articles