[Things don’t stand still in the world of data privacy. Check out our short updates: The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?; Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]
Do the UK General Data Protection Regulation and Data Protection Act govern your transfers of personal data to the United States? (Or do they apply to your personal data transfers to another country without “adequate” safeguards?) The UK has launched new mandatory contract terms for those using contracts to legitimize transfers.
- What terms? Those relying on contract terms for transfers must choose (a) the UK’s International Data Transfer Agreement (“IDTA”) or (b) the UK Addendum to the EU’s 2021 standard contractual clauses for international transfers (“new” SCCs).
- September 21, 2022: For new agreements or new processing operations under existing agreements.
- March 21, 2024: For transfers under contracts in effect as of September 21, 2022. (But no grace period for new processing operations.)
- Are the UK deadlines the same as the deadlines to start using the “new” EU SCCs? No. For new contracts under the EU GDPR (relying on contract terms for cross-border transfers), the “new” SCCs were required as of September 27, 2021. For contracts by then in effect, the deadline is December 27, 2022. (But no grace period for new processing operations.)
- Why are we talking about this now? On March 21, 2022, the deadline for the UK Parliament to object to the new terms ended. Parliament did not object, so the IDTA and UK Addendum options became effective.
By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)
Eager for more information about information technology contracts? Tech Contracts Academy offers public and in-house training, including Tech Contracts Master Classes.
(c) 2022 by Tech Contracts Academy. All rights reserved.
Graphic courtesy of Pixabay.com.