Privacy & Information Security Law Blog

On September 27, 2021, the transition period allowing companies to continue using the old EU Standard Contractual Clauses (“SCCs”) for new transfers from the EU to a third country ended. Companies entering into new transfer agreements incorporating the SCCs must now use those published by the European Commission on June 4, 2021 (the “new SCCs”). Transfers from the UK that rely on SCCs must continue to use the old SCCs.

Background

On June 4, 2021, the European Commission published the final version of the implementing decision on SCCs for transfers of personal data from the EU to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new SCCs. The new SCCs provided for a transition period of three months, during which companies could continue using the old SCCs. As of September 27, 2021, companies entering into new transfer agreements must now use the new SCCs. Contracts signed before September 27, 2021 that already incorporated the old SCCs will remain valid until December 27, 2022 (provided that the old SCCs remain unchanged).

Use in the UK

The UK has not recognized the new EU SCCs and companies therefore cannot currently use them to legitimize data transfers from the UK. For the time being, companies must continue relying on the old SCCs to safeguard transfers of data from the UK. In due course, the UK international data transfer agreement (currently subject to a public consultation) will be available for transfers from the UK to a third country. As part of this proposal, the UK ICO has released a simple draft template Addendum to the EU SCCs, that (if adopted) would allow companies to adapt the new EU SCCs to work in the context of UK transfers.