Companies transferring personal data out of the EU or UK are reminded of key deadlines approaching for the contracts that govern these transfers. When the European Commission adopted the new Standard Contractual Clauses (SCCs) in 2021, it set a deadline of December 27, 2022 for existing contracts under the old SCCs. This means that by December 27, 2022 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.

Post-Brexit, the new EU SCCs are not a valid transfer mechanism under the UK GDPR. In February of this year, the UK ICO adopted an international data transfer addendum to the EU SCCs (the UK Addendum) and a standalone international data transfer agreement (IDTA). As of September 21, 2022, all new agreements that govern the transfer of personal data out of the UK must use either the UK Addendum alongside the new EU SCCs, or the IDTA. Existing agreements for transfers are valid until March 21, 2024. At that time, any existing agreements must be replaced with either the IDTA or the UK Addendum.

Putting it into Practice. Companies should inventory all data transfers out of the EU and UK and access the status of the data transfer clauses in those contracts. In some instances, companies may find that some vendors have unilaterally updated agreements for data transfers. Nonetheless, companies will want to note which agreements have been updated or not, and take steps to update the ones that are not. Both controllers and processors of personal data should look to update all form agreements to account for these requirements.