For the time being, the ICO confirms it is still OK to use the EU Standard Contractual Clauses (SCCs) for existing or new international data transfers from the UK.
However, they add guidance that certain tweaks are allowed to tailor them specifically for UK GDPR (which has been in force in the UK since 31st December 2020). Other changes to the SCCs are not allowed and may make them invalid.
Accordingly, new versions that include suggested UK changes with guidance have been published by the ICO – one for controller to processor and one for controller to controller. UK companies could consider adopting these to safeguard transfers of personal data outside the UK and EEA. However, the ICO also says it is working towards publishing new updated sets of UK SCCs sometime during 2021. (The EU is also getting close to adopting its own new EU SCCs.)
Tips: Clauses for international data sharing
- To minimise changes, where your UK business has existing SCCs with a client or other parties outside the EEA, consider continuing to rely on the current EU SCCs for the time being. For new transfer arrangements, consider adopting the UK GDPR versions instead. New UK SCCs will replace them in due course, but the ICO have assured they will give plenty of notice.
- If you have offices in the EU, they would continue to use EU SCCs only.
How can we help?
- For helpline subscribers, a ready-to-use format of the ICO’s UK GDPR SCCs is available on our client portal.
- Ask us for further help understanding when and how to use SCCs when you share personal data with clients, suppliers or your group companies.