Attention Businesses: Deadline Approaching For Old EU SCCs In International Data Transfers
Author: Adam Munn
Key Contacts: Adam Munn & Declan Goodwin
If your business transfers personal data outside of the UK and is currently relying on old EU standard contractual clauses (Old EU SCCs), those agreements must be updated by 21st March 2024.
What are Old EU SCCs?
The Old EU SCCs were pre-approved contractual terms for data transfers between controllers and processors established in territories outside the European Economic Area (EEA). They offered a mechanism to guarantee adequate data protection safeguards.
Under UK data protection laws, organisations that entered into data transfer agreements prior to 31st September 2022 were permitted to rely on the Old EU SCCs until 21st March 2024.
How can organisations ensure compliant data transfers?
Following the UK’s withdrawal from the EU, organisations now have different options for ensuring lawful international data transfers.
Adequacy Decisions: The Information Commissioner’s Office (ICO) maintains a list of countries deemed “adequate” for data protection. Transfers to these countries do not require additional safeguards. A full list of countries covered under the UK’s ‘adequacy regulations’ can be found here.
Appropriate Safeguards: For transfers to non-adequate countries, organisations must implement “appropriate safeguards” to guarantee data protection. The most commonly used appropriate safeguard has been using the ICO’s approved international data transfer agreement (IDTA) or the UK Addendum to the new EU standard contractual clauses (UK Addendum). For more details on the IDTA and UK Addendum, our previous article can be found here. It is also worth mentioning that in addition to relying on the IDTA or UK Addendum, an organisation must also carry out a transfer risk assessment prior to transferring the personal data (further information can be found here).
Recommendation:
We strongly advise all businesses to review their existing international data transfer agreements immediately to ensure that all contracts are compliant and no longer rely on the Old EU SCCs. If necessary, businesses should update their agreements to incorporate the ICO’s IDTA and/or UK Addendum for continued secure data transfers.
For further information or advice, please get in touch with our Commercial and Technology Team.