International Data Transfers Final Reminder For Moving Away From The Old EU Standard Contractual Clauses

Carla Murray's profile picture

Carla Murray - Partner

Published
2 minutes reading time

Brief recap of what the deadline is and what it applies to

By way of a reminder, 22 September 2022 marked the date from which UK businesses could no longer use the old EU standard contractual clauses (SCCs) for any new agreements entered into where personal data is transferred outside of the UK to another country (that is not of the EU or otherwise subject to an adequacy finding).

Old/Existing Contracts: For commercial contracts entered into before 21 September 2022 that utilise the old EU SCCs, UK businesses were granted a grace period before being required to change to an alternative transfer mechanism. 

This grace period expires on 21 March 2024, following which EU SCCs are no longer valid within the UK, and one of the two following mechanisms will need to be used:

  • The UK International Data Transfer Agreement (IDTA) – which is a standalone agreement or
  • The UK Addendum to the EU SCCs (UK Addendum) amends the new EU SCCs for use within the UK in compliance with the UK GDPR.

Speak To Our Commercial Solicitors

International Data Transfers Final Reminder For Moving Away From The Old EU Standard Contractual Clauses v2

What UK businesses need to do next

Noting that the deadline is just under two months away, UK businesses should (if not already done) be carrying out the following processes:

  • Reviewing and identifying any existing agreements in place which allow for the transfer of personal data outside of the UK and which are still relying on the old EU SCCs;
  • Varying any existing agreements which use the old EU SCCs to incorporate either the IDTA or the UK Addendum;
  • Ensuring that any new agreements entered into incorporate the UK Addendum or the IDTA and are not subject to the old EU SCCs and 
  • Where applicable (where personal data is being transferred to a country deemed inadequate by the UK Government and will be relying on either the IDTA or the UK Addendum), carry out a transfer risk assessment (TRA). In such circumstances, the TRA is a mandatory requirement, and its purpose is to ensure that the personal data of individuals will be fully protected when it is sent to the relevant country outside of the UK.

Contact Myerson Solicitors

What UK businesses need to do next

How we can help

The Commercial Team at Myerson has extensive experience of advising businesses in order to ensure that any international transfers of personal data are made in complete compliance with UK GDPR and can provide assistance to businesses in the following ways:

  • Assessing the position of the parties and advising on which of the transfer mechanisms is most appropriate;
  • Assisting businesses with carrying out TRAs;
  • Transitioning agreements which are still relying on the old EU SCCs to the most appropriate transfer mechanism (either the IDTA or UK Addendum) via variations;
  • Updating any template agreements which businesses use to ensure that they incorporate either the IDTA or the UK Addendum and 
  • More generally, working with businesses to ensure compliance with the UK GDPR through carrying out data mapping exercises, gap analysis reports and data protection impact assessments.

Get In Touch With Our Commercial Team

how we can help with your commercial contracts

Contact Our Commercial Lawyers

If you have any questions or would like to discuss this article in further detail, please contact our Commercial Solicitors, who would be happy to assist. Contact us on:

01619414000

Carla Murray's profile picture

Carla Murray

Partner

Carla has over 18 years of experience acting as a Commercial solicitor. Carla is the Head of Myerson’s Technology Sector. She has handled various matters relating to commercial agreements, technology contracts, and data protection.

About Carla Murray >