Spring Cleaning: Fix contract terms for data transfers from the UK

[Things don’t stand still in the world of data privacy. Check out our updates: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, and background here – The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?Third Time Lucky? Personal Data Transfers between the U.S., EU, UKDraft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]

Do the UK General Data Protection Regulation and Data Protection Act govern your transfers of personal data to the United States? (Or do they apply to your personal data transfers to another country without “adequate” safeguards?) The UK has launched new mandatory contract terms for those using contracts to legitimize transfers.

U.S. to EU: use an IDTA?

  • When?  
    1. September 21, 2022: For new agreements or new processing operations under existing agreements.    
    2. March 21, 2024: For transfers under contracts in effect as of September 21, 2022. (But no grace period for new processing operations.)
  • Are the UK deadlines the same as the deadlines to start using the “new” EU SCCs? No.  For new contracts under the EU GDPR (relying on contract terms for cross-border transfers), the “new” SCCs were required as of September 27, 2021. For contracts by then in effect, the deadline is December 27, 2022. (But no grace period for new processing operations.)
  • Why are we talking about this now? On March 21, 2022, the deadline for the UK Parliament to object to the new terms ended. Parliament did not object, so the IDTA and UK Addendum options became effective.  

By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)

Eager for more information about information technology contracts? Tech Contracts Academy offers public and in-house training, including Tech Contracts Master Classes.

(c) 2022 by Tech Contracts Academy. All rights reserved.

Graphic courtesy of Pixabay.com.

Share the Post:

Related Posts