Our guide to the latest European data transfer rules
If you make a restricted transfer of personal data subject to the GDPR and/or UK GDPR, to a country without an adequacy decision, you need to comply with the Standard Contractual Clauses (SCCs). The European Commission and UK Government have both published updated versions of the SCCs to govern such restricted transfers.
For transfers subject to the GDPR, any existing contracts using the old SCCs must now include the updated SCCs.
As of 21 September 2022, for transfers subject to the UK GDPR, no new contracts can be signed using the old SCCs. Any existing contracts using the old SCCs will only be valid until 21 March 2024, so now is the time to start considering making the switch.
Why the change?
The rules have changed because the previous SCCs were outdated, didn’t cater for modern data transfers and didn’t include the mandatory processing wording required by the GDPR. Additionally, the UK has taken its own approach to data protection requirements since Brexit. The updated SCCs are in a modular format and whilst they provide more comprehensive protection for personal data transfers outside of the EU and UK, they are inevitably more complicated.
How we’re helping
We’ve produced our SCCs Handbook to make compliance simpler. It covers key points such as how your business will be affected, what has changed with EU adequacy decisions, what’s different in the updated SCCs, and how to apply them.
Implementing the updated SCCs is likely to add to your data compliance workload, but our SCCs Handbook is designed to ease that burden. Should you need extra support, we are ready to help; for example, we can set up an action plan to audit and review the contracts you’ll need to change.
Download using the form below.