If a pension scheme wants to transfer personal data outside the UK to a country not considered by the UK government to offer an adequate level of data protection (a restricted transfer)1, appropriate safeguards must be put in place for that transfer unless one of the limited exemptions under the UK General Data Protection Regulation (UK GDPR) applies2. One safeguard is to include “standard contractual clauses” (SCCs) in the contract under which data will be transferred outside the UK.
In 2022, the UK Information Commissioner’s Office introduced changes to the SCCs that can be used. From 21 September 2022, new contracts under which parties make restricted transfers must include one of the following:
- An international data transfer addendum to the SCCs produced by the European Commission (the UK Addendum).
- An international data transfer agreement (the IDTA).
However, the changes are not just confined to new contracts. All existing contracts must be updated by 21 March 2024 to include one of the above safeguards.
What does this mean for trustees?
Advisers and service providers who make restricted transfers on behalf of trustees – Although there might be limited circumstance in which trustees make restricted transfers themselves, advisers and service providers who process data on the trustees’ behalf may well do so. Trustees should therefore ensure that suitable contractual commitments are in place with their advisers/service providers whereby they must notify the trustees of any restricted transfer, and confirm they have entered into and are complying with the UK Addendum or the IDTA for those transfers. However, trustees will not need to enter into the UK Addendum or the IDTA directly if they are not making the restricted transfer themselves.
Trustees who make restricted transfers themselves – In circumstances where trustees themselves make a restricted transfer, such as to a branch of a service provider established in a country not considered to offer an adequate level of data protection, trustees will need to ensure that they either:
- Transfer the data to a UK branch of the service provider and ask the UK branch to transfer the personal data to the branch outside the UK.
- Enter into appropriate safeguards with the non-UK branch for the restricted transfer. Where those safeguards take the form of inclusion of SCCs in the contract with the adviser/service provider, trustees will need to ensure that the contract includes either the UK Addendum or the IDTA by 21 March 2024.
Risk assessment – Trustees relying on the UK Addendum or the IDTA for restricted transfers because they make the restricted transfer themselves must also carry out a transfer risk assessment3 to ensure that the contractual safeguards in the UK Addendum or the IDTA are not undermined by the laws and practices in the country of the data recipient. Importantly, trustees will not be required to conduct a transfer risk assessment if their adviser or service provider is making the restricted transfer. For this reason there is benefit in trustees ensuring that they first transfer the personal data to a UK service provider before the service provider transfers the personal data outside the UK. For more detail on transfer risk assessments under the UK GDPR, please see our data protection colleagues’ legal update.
How we can help
Mayer Brown can advise on all aspects of trustees’ data protection obligations including:
- Reviewing contracts with advisers and service providers to ensure the appropriate commitments are included.
- Updating contracts to include the UK Addendum or the IDTA.
- Advising on what a transfer risk assessment involves and helping to conduct a transfer risk assessment exercise for international data transfers.
1 The UK government has recognised the following countries and territories as offering an adequate level of data protection: member states of the European Economic Area, Andorra, Argentina, Canada (organisations subject to Canada's Personal Information Protection and Electronic Documents Act only), Gibraltar, Guernsey, Isle of Man, Israel, Japan (private sector organisations only), Jersey, New Zealand, South Korea, Switzerland and Uruguay.
2 Appropriate safeguards do not have to be implemented if one of the limited exemptions under Article 49 UK GDPR applies, such as the transfer being necessary for the “establishment, exercise or defence of legal claims”.