Other Author Kiran Chita, Trainee Solicitor
Companies that rely on standard contractual clauses ("SCCs") for transferring personal data from the European Economic Area (“EEA”) to jurisdictions not considered to offer an adequate level of data protection under the EU General Data Protection Regulation must ensure that none of their existing contracts use the old SCCs after 27 December 2022.
Businesses are required to update their existing contracts with customers, vendors and entities in their corporate group to include the European Commission’s new SCCs to legally transfer personal data from the EEA to non-adequate jurisdictions (such as the United States).
While many companies are towards the end of the repapering process from the old to the new SCCs, more than a decade of using the old SCCs and the new requirement to carry out transfer impact assessments means that some businesses might find it difficult to meet the deadline for all their contracts.
Prioritising key contracts that cover data transfers which are essential for the operation of the business and/or carry the most risk may help companies reduce the risk of business disruption and enforcement by data protection authorities. However, we anticipate that individuals (such as unhappy customers or employees), privacy campaigners and regulators will soon step up the pressure on businesses that do not comply with the 27 December 2022 deadline.
For personal data transfers outside the United Kingdom, all existing contracts that incorporate the old SCCs will need to be updated by 21 March 2024 to include the international data transfer agreement or the addendum to the SCCs approved by the UK Information Commissioner's Office for this purpose.