International data transfers are now the norm rather than the exception. However, the additional steps required to transfer data under EU/UK data protection law, including complex Transfer Impact Assessments (TIAs) and the confusion around suitable transfer tools, can lead research projects to be delayed or cancelled. We can provide up-to-date information and advice on GDPR-compliant cross-border transfers and Standard Contractual Clauses.
UK and EU international data transfer rules start from the position that it's better to transfer health data to countries that have data protection regulations that provide an equivalent or adequate level of protection under applicable EU or UK law. However, the list of countries that fulfil this requirement is limited, and historically countries have only been added after rigorous scrutiny.
In June 2021, the European Commission issued updated SCCs, and organisations have had to use these SCCs since 27 September 2021 for all new transfers. Businesses have a deadline of 27 December 2022 to update all their existing data transfer contracts with the new SCCs.
Additionally, since the Schrems II judgement in the summer of 2020, organisations making cross-border transfers have been required to carry out Transfer Impact Assessments (TIA), which form part of the contract between the parties. TIAs are potentially challenging and time-consuming. We can provide a template and guidance on how to carry out a TIA during the set up of each clinical trial and/or vendor transfer.