UK businesses that transfer personal data outside of the UK may need to update existing contracts to ensure compliance with UK data protection laws (UK GDPR).
This is because the grace period allowing businesses to rely on the old EU standard contractual clauses (Old SCCs) is running out and will expire on 21 March 2024.
By way of reminder, under the UK GDPR, there is a general prohibition on the transfer of personal data outside of the UK (referred to as a restricted transfer), unless it is to a country whose data protection practices have been deemed "adequate" or "appropriate safeguards" are in place prior to the transfer.
In March 2022, we wrote about the introduction of the international data transfer agreement (IDTA) and the UK addendum to the new EU standard contractual clauses (New SCCs). To summarise, the Information Commissioner’s Office (ICO) introduced the IDTA and UK addendum to the New SCCs as an appropriate safeguard for the purpose of making restricted transfers of personal data under the UK GDPR. For more detail on the IDTA and the UK addendum, our previous article can be found here. The ICO’s statement and more detail on the IDTA and UK addendum can be found here.
UK businesses have been granted a grace period by the ICO to update their existing data transfer agreements to use either of the IDTA or the UK addendum to the New SCCs until 21 March 2024. After this date, continuing to transfer personal data using the Old SCCs, will result in a breach of the UK GDPR, and the possibility of substantial fines and reputational damage.
We recommend that UK businesses review relevant contracts to ensure that the contracts do not still rely on the Old SCCs to effect a compliant transfer.
If you are unsure about your data protection obligations under existing contracts and how these might be affected by the ICO deadline, please contact our data protection team.