Our guide to the latest European data transfer rules
If you’re making a restricted transfer of personal data subject to the GDPR and/or UK GDPR, to a country without an adequacy decision, you’ll need to comply with the Standard Contractual Clauses (SCCs). The European Commission and UK Government have both recently published new versions of the SCCs to govern such restricted transfers.
For transfers subject to the GDPR, your existing contracts using the old SCCs will be valid until 27 December 2022, but any new contracts must use the new SCCs.
For transfers subject to the UK GDPR, from 21 September 2022 no new contracts can be signed using the old SCCs. Your existing contracts using the old SCCs will be valid until 21 March 2024.
Why the change?
The rules have changed because the previous SCCs were outdated, didn’t cater for modern data transfers and didn’t include the mandatory processing wording required by the GDPR. Additionally, the UK has taken its own approach to data protection requirements since Brexit. The new SCCs are in a modular format and whilst they provide more comprehensive protection for personal data transfers outside of the EU/UK, they are inevitably more complicated.
How we’re helping
We’ve produced our new SCCs Handbook to make compliance simpler. It covers key points such as how your business will be affected, what’s different in the new SCCs and how to apply them.
It’s likely the new SCCs will add to your data compliance workload, but our new SCCs Handbook will ease that burden. Should you need extra support, our Privacy and Data Protection team is ready to help; for example, we can set up an action plan to audit and review the contracts you’ll need to change.