The EU Commission announced on 28 June 2021 that adequacy decisions for the UK have been approved. We are in the process of updating our guidance to reflect this decision.
The Brexit transition period ended on 31 December 2020. The GDPR is retained in domestic law as the UK GDPR. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least another 4 months, which can be extended to 6 months (known as the bridge). This tool is for small and medium-sized businesses and organisations based in the UK who need to maintain the free flow of personal data into the UK from Europe, if the EU has not made an adequacy decision about the UK at the end of the bridge. We recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.
In the vast majority of cases, this is best done by putting in place a contract between you and the sender on EU-approved terms, known as standard contractual clauses (SCCs).
If you are a larger organisation or multinational company, a data protection professional, or you already have well-established transfer mechanisms, this tool may not suit your needs. You will find it more helpful to read our other guidance on the end of the transition period and on international transfers.
How can this tool help me?
If you receive personal data into the UK from the EEA (the EU plus Iceland, Liechtenstein and Norway), the tool will help you:
- decide whether standard contractual clauses (SCCs) can help you maintain the flow of data
- select the right SCCs.
- understand the SCCs.
- complete the SCCs.
Why do we need to use SCCs?
If someone in the EEA sends personal data to someone else who is outside the EEA, they must comply with GDPR rules on international transfers of personal data. SCCs are one of a number of safeguards which can be used to comply, and the one most likely to be appropriate for small and medium-sized businesses.
SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.
It is the EEA sender of the personal data which must comply with GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if the transition period ends without adequacy.
SCCs are not the only safeguard. Our guidance on international transfers.
What if I need the data urgently?
If you are receiving personal data for a medical emergency or another compelling urgent reason where a one-off transfer of personal data is required, the sender may be able to rely on an exception to the usual transfers rules and you will not need to use this tool.
Are there alternative arrangements I can use?
If you are a small or medium sized business or third sector organisation, then SCCs are usually your best option. You are unlikely to have a realistic alternative.
If you are a public authority receiving the data from another public authority, you may still use the SCCs, if both you and the sender are able to enter into contracts. However, there are other options for transfers between public authorities. You may be able to enter into your own contract or (if one or both public authorities are unable to enter into a contract) an administrative arrangement to ensure individuals rights and remedies.
If you are part of a multinational group of companies and are receiving the data from within that group, you may not need SCCs if your group has approved binding corporate rules (BCRs) in place.
Where can I find the SCCs?
If you already know which SCCs you need to use, you can skip this tool and click here to open a template word document containing the SCCs and guidance on how to complete them:
Or if you prefer you can click below to use our contract builder to automatically generate and complete SCCs for your transfer. Once you click start, you will be asked a number of detailed questions about the nature of the data you're transferring, the organisations involved and your current security measures. You will also be asked to tick any additional clauses that apply: