In the last couple of years, there’s been a flurry of activity around standard contractual clauses (clauses permitting the transfer of personal data to countries that haven’t been determined to provide an “adequate” level of protection). Just to recap:
- June 4, 2021: The European Commission released the new modular standard contractual clauses (modular SCCs). From that date, you can mix and match the modules as applicable to various relationships (controller to processor, controller to controller, etc.).
- February 2, 2022: The UK Information Commissioner’s Office adopted an International Data Transfer Addendum to the modular SCCs (UK addendum) as well as an International Data Transfer Agreement (IDTA). (The former document is an amendment to the modular SCCs; the latter is a stand-alone agreement.)
- September 27, 2021: All new SCCs must conform to the modular SCCs.
- September 21, 2022: All new data transfers from the UK must include either the UK addendum or the IDTA.
- December 27, 2022: All SCCs (old and new) must conform to the modular SCCs.
- March 21, 2024: All data transfers from the UK (old and new) must include either the UK addendum or the IDTA.
A lot to keep track of! If you’re behind the curve, don’t worry – you have lots of company. This is a situation where the term “triage” is certainly appropriate. My recommendation would be, as a first priority, make sure any new data processing agreements reflect the new (modular) SCCs and the UK SCCs, as applicable. Then clean up existing data processing agreements as time and resources permit.