The EU standard contractual clauses / model clauses (“SCCs”) were introduced in 1995 in the EU Data Protection Directive and became the primary means for organisations to share personal data outside of the European Economic Area (“EEA”) with countries that were not deemed to have adequate standards in relation to processing personal data (known as “Restricted Transfers”). The SCCs were useful as parties could quickly implement an EU Commission-approved set of terms to facilitate international data transfers due to the fact that the SCCs could not be negotiated by the parties.

With the introduction of the GDPR in 2018, it became apparent that the SCCs were no longer fit for purpose and on 22 September 2022, UK organisations were prohibited from entering into any new agreements using the SCCs.

A grace period for existing contracts that incorporated the SCCs (entered before 21 September 2022) was permitted before the parties had to change to an alternative transfer mechanism. However, this transition period is due to expire on 21 March 2024 – less than one week away.

Next Steps

  1. Review your contracts which relate to the processing of personal data to see if the rely on the SCCs to transfer personal data outside of the UK / EEA.
  2. Amend existing contracts to incorporate a new personal data transfer mechanism. Following 21 March 2024, UK organisations will need to either use the:
  • A) UK International Data Transfer Agreement (“IDTA”); or
  • B) UK Addendum to the new EU SCCs (“UK Addendum”). The new EU SCCs were issued by the European Commission on 4 June 2021, but they cannot be used alone for Restricted Transfers under the UK GDPR. Consequently, the UK Addendum will be required in order to ensure that you are compliant.

It is worth checking if the country receiving personal data has an ‘adequacy’ decision or if the other party is registered under the recent UK-US Data Bridge (for US data transfers), as this may negate the need for the IDTA or UK Addendum.

  1. Conduct a Transfer Risk Assessment (“TRA”) where a Restricted Transfer occurs. This will be needed each time you implement the IDTA or the UK Addendum in relation to a country with inadequate data protection laws (as determined by the UK Government). Please note that the ICO provides a TRA tool to assist with making the assessment.
  2. Update your templates to ensure that the old SSCs are not referenced going forwards.

Our Data Protection Solicitors are available if you would like assistance with any of the above requirements and we are always happy to talk through your Data Protection compliance requirements.

This publication is a general summary of the updates to the law as at the date of publication. It should not replace legal advice that has been provided to your specific circumstances.