International Data Transfers Final Reminder For Moving Away From The Old EU Standard Contractual Clauses

By way of a reminder, 22 September 2022 marked the date from which UK businesses could no longer use the old EU standard contractual clauses (SCCs) for any new agreements entered into where personal data is transferred outside of the UK to another country (that is not of the EU or otherwise subject to an adequacy finding).

Old/Existing Contracts: For commercial contracts entered into before 21 September 2022 that utilise the old EU SCCs, UK businesses were granted a grace period before being required to change to an alternative transfer mechanism. 

This grace period expires on 21 March 2024, following which EU SCCs are no longer valid within the UK, and one of the two following mechanisms will need to be used:

• The UK International Data Transfer Agreement (IDTA) – which is a standalone agreement or
• The UK Addendum to the EU SCCs (UK Addendum) amends the new EU SCCs for use within the UK in compliance with the UK GDPR.

The Commercial Team at Myerson has extensive experience of advising businesses in order to ensure that any international transfers of personal data are made in complete compliance with UK GDPR and can provide assistance to businesses in the following ways:

• Assessing the position of the parties and advising on which of the transfer mechanisms is most appropriate;
• Assisting businesses with carrying out TRAs;
• Transitioning agreements which are still relying on the old EU SCCs to the most appropriate transfer mechanism (either the IDTA or UK Addendum) via variations;
• Updating any template agreements which businesses use to ensure that they incorporate either the IDTA or the UK Addendum and 
• More generally, working with businesses to ensure compliance with the UK GDPR through carrying out data mapping exercises, gap analysis reports and data protection impact assessments.