As the regulatory landscape surrounding data protection evolves, organisations operating in the UK are faced with the challenge of keeping informed about and adapting to new requirements. Recent developments have significant implications for data transfers, particularly for those that, until now, have relied on ‘old’ EU Standard Contractual Clauses (SCCs) to transfer data to a country or territory not covered by the UK’s adequacy regulations.
Old EU SCCs: the deadline has passed, they can no longer be used
The old EU SCCs can no longer be used. These clauses were valid until 21 March 2024 for contracts entered into before 21 September 2022, but they are no longer a valid transfer mechanism.
You must, if you haven’t done so already, check that none of your contracts still rely on the old EU SCCs. If any do, you need to work to update them to meet the current requirements for compliance. The compliant equivalent is now achieved through the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (the UK Addendum).
To use the IDTA or the UK Addendum any organisation which is transferring personal data outside of the UK to a country or territory not covered by the UK’s adequacy regulations should:
- carry out a Transfer Risk Assessment (TRA); and
- vary existing contracts to include the IDTA or the UK Addendum. New contracts should include these as standard where applicable.
Replacing the old EU SCCS: introducing the IDTA and the UK Addendum
The IDTA or the UK Addendum can be used as your appropriate mechanism when:
- UK GDPR applies to the personal data that you are transferring;
- the personal data is being sent or made accessible to a receiver who is located in a country or territory not covered by a UK adequacy decision; and
- the receiver is a separate controller or processor and legally distinct from you as the sender.
The UK Addendum essentially allows organisations to rely on the ‘new’ EU SCCs – it is an ‘add-on’ to those EU SCCs which were issued back in June 2021. However, it’s important to remember that the new EU SCCs will only be valid under UK GDPR when used with the UK Addendum. Alternatively, the IDTA can be used.
You may be wondering when it’s better to use one or the other. This will depend on your circumstances. If, for example, your business operates across the UK and the EU, and you have already spent time implementing the new EU SCCs for data transfers, the UK Addendum might make sense for your business. There are some limitations with regards the UK Addendum though, and in some scenarios, the IDTA may be more appropriate.
This can be complex, and you should seek legal advice if you are unsure.
Whichever you choose, conduct a Transfer Risk Assessment (TRA)
TRAs play an important role in the data transfer process, and they are required whenever you are relying on a UK GDPR Article 46 transfer mechanism like the IDTA or the UK Addendum.
TRAs help organisations to evaluate the risks associated with transfers and determine appropriate safeguards so that the protections for people covered by the UK data protection regime are not undermined. Here are some key things to bear in mind regarding TRAs:
- Factors to assess include the nature of the transfer, risks to data subjects, contractual measures, legal frameworks, and potential third-party access risks. The ICO has provided a tool that can be used to carry out each TRA.
- Each assessment must be documented and retained to demonstrate compliance with the accountability requirements.
- Your assessment may have highlighted additional measures that you will need to take the time to implement.
- You will need to establish review processes to ensure ongoing compliance.
- If you are not able to mitigate the risks highlighted by your TRA, it may be that the transfer cannot take place.
The Birketts view
As the old EU SCCs have now expired, it is imperative for businesses to ensure that they either already have an alternative data transfer mechanism in place for all relevant contracts, or swiftly adapt to the new requirements to ensure compliance.
Please contact our Data Protection Team for guidance on which option works best for you and your organisation. The regulatory landscape is evolving and it’s crucial that organisations adapt and work proactively to address compliance challenges, prioritising compliance measures and adopting best practices to mitigate risks to data and reputation.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at April 2024.