Do the UK General Data Protection Regulation and Data Protection Act govern your transfers of personal data to the United States? (Or do they apply to your personal data transfers to another country without “adequate” safeguards?) The UK has launched new mandatory contract terms for those using contracts to legitimize transfers.
- What terms? Those relying on contract terms for transfers must choose (a) the UK’s International Data Transfer Agreement (“IDTA”) or (b) the UK Addendum to the EU’s 2021 standard contractual clauses for international transfers (“new” SCCs).
- September 21, 2022: For new agreements or new processing operations under existing agreements.
- March 21, 2024: For transfers under contracts in effect as of September 21, 2022. (But no grace period for new processing operations.)
- Are the UK deadlines the same as the deadlines to start using the “new” EU SCCs? No. For new contracts under the EU GDPR (relying on contract terms for cross-border transfers), the “new” SCCs were required as of September 27, 2021. For contracts by then in effect, the deadline is December 27, 2022. (But no grace period for new processing operations.)
- Why are we talking about this now? On March 21, 2022, the deadline for the UK Parliament to object to the new terms ended. Parliament did not object, so the IDTA and UK Addendum options became effective.
Eager for more information about addressing documents like these, and contract terms about data in general?
- On April 19, 2022, we offer a one-hour webinar, Data Privacy Terms in Tech Contracts.
- Data management and privacy generally are among the topics addressed in our comprehensive Tech Contracts Master Classes, the next four-class series of which runs April 14 – May 5, 2022.
(c) 2022 by Tech Contracts Academy.
Graphic courtesy of Pixabay.com.