Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

The EU Commission announced on 28 June 2021 that adequacy decisions for the UK have been approved. We are in the process of updating our guidance to reflect this decision.

 

Once the transition period for leaving the EU ends, the UK will be able to produce its own SCCs for restricted transfers made from the UK. In the meantime, UK controllers can continue to use the existing EU SCCs (valid as at 31 December). See below for more detail.

The European Commission are consulting on new draft SCCs, which we expect will be formally issued some time in 2021. This means they will not be valid SCCs for restricted transfers from the UK.

The recent Schrems II decision will continue to apply if you are making a restricted transfer from the UK using SCCs. This decision requires that you must make an assessment as to whether those SCCs provide protection which is ‘essentially equivalent’ to the protections in the UK data protection regime, and if necessary put in place additional measures.

This assessment is undoubtedly complex in many situations. The European Data Protection Board (EDPB) have published for consultation, Recommendations on measures that supplement transfer tools. We expect the final version to be issued some time in 2021. The recommendations (when finalised) will apply to the EU GDPR transfer regime, and are included here only as useful reference about additional measures. The ICO intends to issue its own guidance on this topic in due course.

New Restricted Transfers from the UK

You can continue to use the current EU SCCs for restricted transfers from the UK.

You are able to make changes to those EU SCCs so they make sense in a UK context provided you do not change the legal meaning of the SCCs. For example, changing references from the old EU Data Protection to the UK GDPR, changing references to the EU or Member States, to the UK, and changing references to a supervisory authority to the ICO.

Otherwise you must not make any changes to the SCCs, unless it is to add protections or more clauses on business related issues. You can add parties (ie additional data importers or exporters) provided they are also bound by the SCCs.

We have created UK versions of the SCCs (with guidance), with suggested UK changes made for you.

Existing data transfers

After the transition period ends, you can continue to rely on existing SCCs which you have in place for restricted transfers from the UK. Although after the Schrems II decision, you should be reviewing whether they provide sufficient protection for data subjects and if necessary taking additional measures.

Future changes to SCCs

The ICO intends to consult on and publish UK SCCs during 2021.

The ICO and the Secretary of State must keep the transitional arrangements for SCCs under review. It may be that at some point the EU SCCs will cease to be valid, for new and/or existing restricted transfers from the UK. The ICO will provide more information about this when this situation arises, giving you plenty of notice.

Further Reading

For more information about restricted transfers, read our guidance on international transfers.

Existing EU SCCs: