Under the United Kingdom and European Union, General Data Protection Regulations (GDPR) standard contractual clauses (SCCs) are the most commonly used mechanisms, or ‘appropriate safeguards’, to legitimise international transfers of personal data.
SCCs are intended to ensure that enforceable data subject rights and effective legal remedies are available for data subjects whose personal data is transferred to a country or organisation outside of the UK or EU (as applicable) and for which no ‘adequacy’ decision has been adopted by either the UK Government or the EU.
EU GDPR
In June 2021 the EU Commission introduced the new EU SCCs for transfers of personal data outside the EU (‘2021 EU SCCs’). The Commission also repealed the previous SCCs.
EU Data controllers and processors using the previous SCCs as of 26 September 2021 have until 27 December 2022 to transition to the 2021 EU SCCs.
UK GDPR
The UK left the EU on 31 December 2020. Initially,. the 2021 EU SCCs were not a valid transfer mechanism under the UK GDPR, but the previous SCCs could continue to be relied on until 21 March 2024 in contracts entered into on or before 21 September 2022 (provided the relevant processing operations under the contract remain the same and the SCCs incorporated appropriate amendments to reflect the UK’s withdrawal from the EU).
In January 2022, the UK regulator the ICO, announced that the 2010 SCCs would be phased out and replaced by the new International Data Transfer Agreement (‘IDTA’) and the use of the 2021 EU SCCs in conjunction with an ICO approved “addendum”.
TIA and Supplementary Measures
Regardless of which regime’s SCC is to be used, and because of the decision in Schrems II (see our article on Schrems II here), the transfer must not take place unless the controller or processor has adopted the following measures:
- Assessment of whether there is anything in the law or practice of the importing third country which may reduce the effectiveness of the protections offered by the SCC (a ‘transfer impact assessment’); and
- Identification and implementation of any supplementary measures required to ensure an equivalent level of protection for data subjects to that under the UK or EU GDPR (as applicable).
As data privacy experts, we regularly assist companies with updating their SCCs and Data Processing Agreements to ensure continued compliance. If you require assistance, please contact us here.