Book a call
By LegalEdge Marketing, News

Processing personal data outside the UK 

Updated standard clauses & deadlines

Most businesses rely on third party software to process personal data (for staff, customers, prospects, suppliers, etc). Many tech companies we work with provide this service to their customers too, e.g. HR software, CRM systems, email, doc/communication sharing platforms, etc etc).  

In each case, a data processing agreement (DPA) covering how personal data is processed is required by law. Failure to do so risks large fines under the GDPR and related legislation.  

Where data is processed outside the UK or EU, you need to take further steps to comply with the law, which can include entering into data transfer agreements that include standard contractual clauses (SCCs).  

In June last year, the EU published new EU SCCs. But, following Brexit, the new EU SCCs are no-longer valid for UK personal data transfers. So, in February this year, the UK issued new templates – these include:  

  • The UK Addendum which needs to be added to the new EU SCCs where UK personal data is being transferred together with non-UK data outside the UK to ‘third’ countries (ie not an EU member state, Norway, Iceland, or Liechtenstein); and
  • The International Data Transfer Agreement (IDTA), a stand-alone agreement that can be used where UK data (only) is being transferred outside the UK to ‘third’ countries .

Certain deadlines apply for the use of the new SCCs and templates:  

1. 21st September 2022

2. 27th December 2022

3. 21st March 2024

If you’re transferring data outside the EU/ UK then this applies to you and therefore any contracts using old SCCs need to be updated and your processes checked. Please get in touch if you want to discuss this with us in more detail –

Back To Blog Our Services
  • Share:

What do our clients think?