Some organisations have questions and concerns about what Standard Contractual Clauses (SCCS) they need to use when they aim to perform international transfers of personal data from the United Kingdom (“UK”) to third countries.
The position is still a bit convoluted as the ICO has not yet published UK specific SCCs. So, at this moment there are two scenarios:
- For transfers from the UK to third parties, companies should continue use the UK version of the old SCCs for now. These will be replaced by a new UK International Data Transfer Agreement (expected later this year).
- For transfers from the EU to third countries, the new EU SCCs should be used. And existing contracts must be updated to reflect new EU SCCs by December 2022.
Although use of the new EU SCCs would not be valid in the UK currently, a few months ago the ICO published for consultation an addendum to be used with the new EU SCCs so that they can be used in the UK as well as in the EU (the “UK Addendum”). In terms of the companies’ data transfer agreements, companies could then use the Addendum to add the UK to the new EU SCCs once they are valid.
Considering the current situation, some organisations are trying to front load some of this work by using the new EU SCCs and incorporating the draft version of the UK Addendum, together with a provision for the parties to commit to replace the draft Addendum with the new one as soon as the final version is issued. This is a risk-based approach that may not be perfect from a compliance point of view, but it could be a good option if the organisation does not want to attach two different sets of SCCs to contracts. Finally, in terms of additional burdens or obligations in the new EU SCC’s that UK companies should be aware of, the new SCCs are very similar to the old ones. The main difference is that they require additional information/details about the transfer in the appendices and organisations may need to verify this against their records of processing. The format of the new EU SCCs is quite different as they are divided into four modules depending on the data sharing relationship: controller to controller, controller to processor, processor to processor and processor to subprocessor (whilst the old ones were only for controller to controller and controller to processor relationships).