We answer some common questions we’ve encountered about the recent changes to the international data transfer regime in the UK.

How does all that you are covering apply to an organisations use of services such as Mailchimp, Stripe, etc? Do the standard T&Cs/privacy notices etc of these services cover the requirements? 

T&Cs and privacy notices are different from mechanisms for international transfers.  Mailchimp and Stripe both send personal data to the US, so a mechanism needs to be in place (either the EU SCCs/EU SCCs plus UK addendum/International Data Transfer Agreement, as applicable). You may find that service providers have already incorporated these into their contracts, particularly if they have a large EU/UK client base, but you should check this on the service provider’s website, or in the materials they provide to you. You will also need to conduct a transfer risk assessment and implement any appropriate supplementary measures.

Where is best to find out information on all third countries data protection laws and regs? 

Examples of useful resources include:    

Assessing compliance with the rule of law etc in third countries is difficult. The main thing is to have something to show in this space.

The scenario is: a Company is subject to the EU and UK GDPR and the contract has been signed using the new SCC to cover both transfers. If an amendment to the contract will be signed before September 2022, do you advise using the UK Addendum to the EU SCCs from now or to waiting until March 2024?

The 21 March 2024 date is only relevant for the old EU SCCs. You need to put the UK Addendum in place (from this point) so that the new EU SCCs can be relied on for transfers out of the UK. 

If the ICO’s “standard contractual clauses for controllers to processors” has been used in a transfer from the UK to the US, do we need to still enter and use the new international data transfer contract?

This seems to be a reference to the old EU SCCs. They can continue to be relied on until 21st March 2024. However, if your processing activities have changed then you should put the new International Data Transfer Agreement in place (or the EU SCCs together with the UK Addendum, if appropriate).

The EU SCCs + Addendum can add a number of pages to a contract. Is it possible to incorporate both of these by reference into contracts? 

Yes, it is possible to incorporate the relevant documents by reference. It remains unclear how regulators will react to incorporation of EU SCCs in this way (or whether e.g. they would prefer the EU SCCs to be included in their entirety), but as things stand our view is that it would be acceptable to incorporate the EU SCCS and UK Addendum by reference. Note, however, that you would need some further drafting in the contract if you are incorporating by reference. For example, for the EU SCCs you will need to set out which module applies to your transfers. Further, there are certain parts of the EU SCCs that organisations must complete, including (i) the Annexes and (ii) whether or not they wish to include optional clauses.  

Can you talk a bit about what constitutes a restricted transfer, in particular as it relates to whether the importer is or is not subject to the GDPR?

A restricted transfer happens when personal data is transferred from the EU or the UK to a third country or is otherwise made available to a data importer in a third country. The EDPB’s draft guidance suggests that a restricted transfer happens whether or not the EU GDPR [or UK GDPR] applies to the entity in the third country. This reading makes sense. If this were not the case then there would be a higher level of protection from access by public authorities in a third country if the importer was not subject to the EU GDPR [or UK GDPR] as compared with if the importer was subject to the EU GDPR or UK GDPR. That is because the Schrems II risk assessment/supplementary measures are only applicable where there is a restricted transfer.