In this article, we explain the impact that the new Standard Contractual Clauses (SCCs) recently issued by the European Union will have on businesses in the UK.
We will also consider the impact the issue of the new SCCs has on the use of Transfer Impact Assessments (TIAs).
What is new?
The General Data Protection Regulation 2016 (GDPR) governs the transfer of personal data to countries outside of the European Economic Area (EEA).
Countries outside the EEA are known as third countries - this now includes the UK.
Safeguards have been put in place to protect the transfer of personal data into third countries that do not contain adequate levels of data protection. The most common method to deliver these safeguards is to use Standard Contractual Clauses.
On 4 June 2021, the European Commission adopted new SCCs
These replace the “old” version adopted under the previous legislation and they came into force on 27 June 2021. The old SCC’s can only be used for a period of three months after this date. However, there is an additional 15-month transitional period where the old SCCs can be used where they have already been incorporated into contracts. This period runs out on 27 December 2022.
As a UK business, you may see these new Standard Contractual Clauses already appearing in contracts originating from EU countries.
What happens to businesses working under the UK GDPR?
The new SCCs have not yet been adopted into the UK GDPR. Businesses working under the UK GDPR rules will still need to use the old SCCs for data transfers from the UK to non-EEA countries.
New SCCs are likely to be introduced under the UK GDPR this year. It is hoped that they will be in the same or similar format to the new SCCs. We will update you on any developments in this area as soon as we know more.
What are the four new types of SCCs?
The new SCCs needed to be adopted due to changes in legislation and new case law.. The new SCCs feature a modular structure of clauses that data exporters will use based on the nature of their roles and responsibilities in relation to the data transfer in question:
- Controller-to-Controller,
- Controller-to-Processor
- Processor-to-(Sub-)Processor and
- Processor-to-Controller
Modular content
The new Standard Contractual Clauses contain content that is applicable to all four types of data transfer arrangements listed above, and the new SCCs also contain modular content.
The modular content is only applicable to specific types of data transfers. Businesses will need to work through the new SCCs to delete the modular content that is not applicable to the data transfers in question. Multi-parties and new ‘docking’ arrangements
The new SCCs are designed to be used by multiple parties. These new SCCs also provide for changes to be made over time including allowing for new parties to join into the SCCs by using a "Docking Clause".
Data Processing Agreements
Separate data processing agreements or clauses will no longer be required with the new SCCs, the content of Article 28 of GDPR has been incorporated into the new SCCs.
Transfer Impact Assessments
It is not sufficient for businesses to simply put in place the new or old SCCs (depending on whether UK GDPR or EU GDPR applies).
Businesses are still required to carry out a transfer impact assessment and make it available to the competent authority on request.
Final words
As mentioned above, the new SCCs have not yet been adopted into the UK GDPR.
Businesses working under the UK GDPR will still currently need to use the old SCCs for data transfers from the UK to non-EEA countries.
UK Businesses may still need to use the new SCCs if they are working with businesses in the EEA or overseas and data transfers are taking place under the EU GDPR. Over time it may be that businesses have two sets of SCCs in their standard contracts; we will need to see what happens with the UK GDPR and the adoption of its own new SCCs.
If you are in any doubt about which set of SCCs to use and whether you should be using the new or old SCCs for data transfers, please do not hesitate to contact LawBite for more guidance.
You can get legal assistance from LawBite
We understand that GDPR compliance can be difficult to navigate – with all those new rules and ongoing processes to comply with. Every business is unique so a one-size approach doesn’t work for everybody. At LawBite, our lawyers will work with you speedily and affordably to understand what your business needs and agree on a pathway to compliance.
LawBite online lawyers and online solicitors provide expert legal advice on all commercial and business matters. Book a non-commit 15-minute call with our friendly lawyers today or learn more by joining LawBite for free.
