Under the United Kingdom and European Union, General Data Protection Regulations (GDPR) standard contractual clauses (SCCs) are the most commonly used mechanisms, or ‘appropriate safeguards’, to legitimise international transfers of personal data.
SCCs are intended to ensure that enforceable data subject rights and effective legal remedies are available for data subjects whose personal data is transferred to a country or organisation outside of the UK or EU (as applicable) and for which no ‘adequacy’ decision has been adopted by either the UK Government or the EU.
In June 2021 the EU Commission introduced the new EU SCCs for transfers of personal data outside the EU (‘2021 EU SCCs’). The Commission also repealed the previous SCCs.
EU Data controllers and processors using the previous SCCs as of 26 September 2021 have until 27 December 2022 to transition to the 2021 EU SCCs.
The UK left the EU on 31 December 2020. Therefore the 2021 EU SCCs are not a valid transfer mechanism under the UK GDPR. For now, the previous SCCs will continue to apply for transfers outside of the UK.
TIA and Supplementary Measures
Regardless of which regime’s SCC is to be used, and because of the decision in Schrems II (see our article on Schrems II here), the transfer must not take place unless the controller or processor has adopted the following measures:
- Assessment of whether there is anything in the law or practice of the importing third country which may reduce the effectiveness of the protections offered by the SCC (a ‘transfer impact assessment’); and
- Identification and implementation of any supplementary measures required to ensure an equivalent level of protection for data subjects to that under the UK or EU GDPR (as applicable).
As data privacy experts, we regularly assist companies with updating their SCCs and Data Processing Agreements to ensure continued compliance. If you require assistance, please contact us here.