Updated standard clauses & deadlines
Most businesses rely on third party software to process personal data (for staff, customers, prospects, suppliers, etc). Many tech companies we work with provide this service to their customers too, e.g. HR software, CRM systems, email, doc/communication sharing platforms, etc etc).
In each case, a data processing agreement (DPA) covering how personal data is processed is required by law. Failure to do so risks large fines under the GDPR and related legislation.
Where data is processed outside the UK or EU, you need to take further steps to comply with the law, which can include entering into data transfer agreements that include standard contractual clauses (SCCs).
In June last year, the EU published new EU SCCs. But, following Brexit, the new EU SCCs are no-longer valid for UK personal data transfers. So, in February this year, the UK issued new templates – these include:
- The UK Addendum which needs to be added to the new EU SCCs where UK personal data is being transferred together with non-UK data outside the UK to ‘third’ countries (ie not an EU member state, Norway, Iceland, or Liechtenstein); and
- The International Data Transfer Agreement (IDTA), a stand-alone agreement that can be used where UK data (only) is being transferred outside the UK to ‘third’ countries .
Certain deadlines apply for the use of the new SCCs and templates:
1. 21st September 2022
All NEW data processing agreements need to include one of the following, depending on what data is being transferred, so choose the right one for you.
- for transfers of EU data to ‘third’ countries – use the new EU SCCs; or
- for transfers of both UK and EU data to ‘third’ countries – use the UK Addendum PLUS the new EU SCCs; or
- for transfers of UK data only, from the UK to ‘third’ countries – use the IDTA.
From this date, you also need to have a framework in place to conduct transfer impact assessments (TIAs) to show you’ve assessed the risk of sending personal data to the ‘third’ countries and considered putting in place any supplementary measures needed to protect the personal data being transferred.
2. 27th December 2022
Any existing contracts that used the old EU SCCs must be updated to append the new EU SCCs.
3. 21st March 2024
Any existing contracts that used the old SCCs for UK data transfers must be updated to append either the UK Addendum or IDTA.
If you’re transferring data outside the EU/ UK then this applies to you and therefore any contracts using old SCCs need to be updated and your processes checked. Please get in touch if you want to discuss this with us in more detail – firstname.lastname@example.org