As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts to the new templates. There are some deadlines to be aware of, which you will find in the ‘key dates to note’ section below.
The main agreements that organisations will need to focus on as part of their transition programme are:
- template agreements with customers and vendors on processing personal data;
- existing agreements with customers and vendors; and
- existing agreements within the group companies.
Key dates to note
- 21 March 2022: New SCC templates issued by the UK ICO are available for use.
- 21 September 2022: New contracts must use the new UK SCCs from this point on.
- 27 December 2022: Organisations need to have transitioned all existing contracts using the old Directive SCCs to the new EU SCCs by this date.
- 21 March 2024: All contracts that used the previous UK SCCs must be transitioned to the new UK SCCs.
Introducing our Data Transfer Pathway Tool
As you may recall, due to the CJEU’s Schrems II decision, organisations are required to document a transfer impact assessment (TIA) prior to signing any SCCs (both in the UK and the EU). The TIA is required to evaluate local laws of the third country in connection to government access to data.
Reed Smith has developed an online tool that would enable documenting the assessment and automating the drafting of the SCCs. It allows the organization, its clients or its vendors to complete the necessary documentation online on an iterative basis and store it to record its GDPR compliance. It also allows to save TIAs conducted for specific countries and to be re-used for other clients or vendors.
What can it do?
- Navigate complex data transfer scenarios including where several data recipients are involved or there are multiple onward transfers — either in Europe or outside of it
- Conduct a data transfer assessment for the user (as required the SCCs), identifying supplementary measures and creating a data transfer assessment report with the option of an indicative risk rating
- Build a data transfer agreement, automatically generating the required SCCs modules, with the annexes automatically populated from the answers to the data transfer assessment
Want to find out more?
A demo webinar of the tool is available, you can access it here.
Contact any of the authors for further information.