Companies that rely on standard contractual clauses for transferring personal data from the United Kingdom to jurisdictions not considered to offer an adequate level of data protection under the UK General Data Protection Regulation can no longer use the old EU standard contractual clauses in new contracts as of today, Wednesday 21 September 2022.
Instead, businesses must use the international data transfer agreement (the “IDTA”) or the international data transfer addendum to the European Commission’s standard contractual clauses (the “UK Addendum”) which were approved by the UK Information Commissioner’s Office for this purpose and entered into force on 21 March 2022. You can read more information about both documents in our client alert.
Practically, businesses need to update any template contracts (e.g. with customers or suppliers) which incorporate the old EU’s standard contractual clauses and replace them with the IDTA or the UK Addendum.
Businesses should also review their existing contracts which still use the old EU standard contractual clauses and identify those that will need be renegotiated by 27 December 2022 (to include the new European Commission’s standard contractual clauses for personal data transfers outside the European Economic Area) and 21 March 2024 (to include the IDTA or the UK Addendum for personal data transfers outside the United Kingdom).