Data Protection Law
As we have covered previously, exporting personal data outside of the UK is what is known under the UK GDPR as a ‘restricted transfer’. As the name might betray, it is not possible for data controllers (or processors) to make a restricted transfer unless one of the relevant legal conditions is satisfied.
One of these is to enter into a contract between the exporter and the importer that contains SCCs.
Since the decision of the Court of Justice of the European in Schrems II, the EU (and the UK) published revised SCCs which replaced the old versions in place before the decision. In the UK these came into force on 21 March 2022, and are available on the ICO’s website here. There are two versions – a freestanding agreement termed as a ‘international data transfer agreement’ and an ‘Addendum’ to the EU’s version of the SCCs. The Addendum would be incorporated into another, likely commercial, agreement between the exporter and the importer.
After 21 March 2024 (a month from now!), the old versions of the SCCs will no longer be valid.
This means, that unless the exporter is utilising the international data transfer agreement or the Addendum and cannot otherwise rely on one of the other conditions, the exportation of the personal data will be unlawful.
What this mean? Check your contracts that were entered into before 21 March 2022. If you are exporting personal data in connection with them (which even includes making data available to suppliers overseas that access systems remotely), seek legal advice.
At EM Law, we are experts in data protection law. If you need help with revising older agreements to ensure they are compliant with the UK GDPR, or more generally, please contact us.
One of our leading data experts, such as Colin Lambertus, would be more than happy to speak with you.