Data privacy digest series
An important deadline is coming up imminently which will affect UK organisations sending personal data to recipients located outside the UK or EEA.
Transfers of personal data outside the UK and EEA can only be undertaken by UK organisations if appropriate safeguards are put in place, one of which is the use of an appropriate contractual transfer mechanism.
The UK previously followed the European Union and relied upon the European Standard Contractual Clauses (EU SCCs) as an appropriate contractual mechanism for international transfers of personal data (with binding corporate rules being another method of compliance). A new version of the EU SCCs was brought into force to be used for transfers of personal data from 27 September 2021, with the previous EU SCCs no longer being valid from 27 December 2022.
On 21 September 2022, the International Data Transfer Agreement (IDTA) and the International Transfer Addendum to the EU Standard Contractual Clauses (UK Addendum) became mandatory for new contracts, but UK organisations with contracts already in place at that date which incorporated the 2021 version of the EU SCCs could continue to rely upon those EU SCCs as the appropriate transfer mechanism under that contract.
The IDTA and UK Addendum are set to become mandatory for all contracts from 21 March this year, meaning that UK organisations which currently export personal data in reliance on the EU SCCs will need to take action to ensure that any international data transfers remain compliant with UK GDPR from this date, by either entering into the UK Addendum alongside the EU SCCs, or entering into a standalone IDTA.
Alongside the usage of the IDTA or the EU SCCs with a UK Addendum, a transfer risk assessment must be undertaken before any personal data is transferred in reliance on one of these contractual mechanisms. This includes an assessment of the risks to individuals' rights in the destination country from third parties accessing their personal data, and the risks to their rights arising from difficulties in enforcing the transfer mechanism.
We advise UK organisations to take the following immediate actions:
- Check data flows to identify if restricted transfers are being made which should have incorporated EU SCCs but do not, or rely on the EU SCCs (whether the current or the previous version) as an appropriate safeguard.
- Either incorporating a UK Addendum into the EU SCCs or entering into an IDTA.
- Undertaking a risk assessment to ensure the level of protection provided by the IDTA or UK Addendum with the EU SCCs is sufficient in the circumstances of the restricted transfer.
Our data protection specialists are able to advise on international data transfers and the requirements for restricted transfers under UK GDPR. If you are in doubt about your data protection obligations and how these might be impacted by the imminent deadline, please speak to us.
