Model clauses: the lay of the land

Within the EU

On 4 June 2021 the European Commission published new Standard Contractual Clauses, EU SCCs, set contract wording to safeguard personal data being exported to a third country, by a party which is subject to the EU GDPR. One key development is that the new EU SCCs now account for processor-to-processor and processor-to-controller transfers, as opposed to just controller-to-controller or controller-to-processor.

From 27 June 2021, organisations subject to the EU GDPR could begin using the new EU SCCs. From 27 September 2021 only the updated EU SCCs could be used for new arrangements and the previous set could no longer be signed. Organisations now have until 27 December 2022 to transition all existing arrangements from the previous version of the EU SCCs onto the new version.

Within the UK

Meanwhile in the UK, in August 2021 the ICO published a draft International Data Transfer Agreement, IDTA, for consultation, a final form of which is expected to be published in early 2022. The IDTA will operate as an appropriate safeguard for transfers of personal data, where the UK GDPR applies to the personal data being transferred.

The ICO also published:

• Draft international transfer risk assessment guidance, to assist organisations in assessing the laws and practices of the destination country, to determine whether the IDTA provides the necessary protection to the personal data being transferred. If not, the IDTA cannot be used as an appropriate safeguard.
• Draft UK Addendum to the EU SCCs, UK Addendum, which can be added to the EU SCCs to extend their protection so that they also operate as an appropriate safeguard under the UK GDPR. The UK Addendum is good news for organisations which are subject to both the EU GDPR and UK GDPR, as it will allow them to rely on one set of standard clauses, rather than having to execute both EU SCCs and an IDTA with each relevant data importer.

Once the final IDTA and UK Addendum are published the ICO will confirm the applicable grace periods for implementing the updated safeguards.

At the moment we anticipate that organisations will have:

• Three months from the date that the IDTA and UK Addendum come into force, before these must be used for all new arrangements.
• 24 months from the date that the IDTA and UK Addendum come into force, to transition existing arrangements onto the updated versions.

It is important that businesses assess their international data flows to identify where action is required.

If you have any questions regarding international data transfers, please contact our Data Protection team.