On 21 March 2022 the International Data Transfer Agreement (IDTA) and Addendum to the new EU Standard Contractual Clauses (New SCCs) came into force in the UK in relation to the transfer of personal data outside the UK.
The UK GDPR allow international transfers of personal data where the data exporter has provided appropriate safeguards. Such safeguards are often provided by the use of “standard contractual clauses.” Until now, the UK has not produced its own standard contractual clauses to provide adequate safeguards for international transfers of personal data. Instead, the Data Protection Act 2018 set out transitional provisions allowing the continued use by data exporters of standard contractual protection clauses which were issued under a prior EU data protection directive (the “Transitional SCC’s”) and the use of such clauses continued to be valid even after Brexit.
The IDTA and the Addendum will replace the Transitional SCCs. The IDTA is a standalone agreement whereas the Addendum will supplement the New EU SCCs (which came into force on 27 September 2021) and can be used in conjunction with the New SCC’s as an alternative to the IDTA.
There is a grace period until 21 September 2022 whereby the Transitional SCCs can continue to be used for transfers of personal data outside the UK; any new arrangements after this date must use the IDTA or Addendum with the new EU SCCs. Contracts concluded on or before 21 September 2022 on the basis of any Transitional SCCs shall continue to provide appropriate safeguards for the purpose of the UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
For organisations subject to the EU GDPR, there is an additional deadline of 27 December 2022 by which time any existing arrangements under the old EU SCCs must be transferred to the New SCCs. The remainder of this blog will focus upon the IDTA and Addendum.
How can personal data be transferred outside the UK?
Organisations subject to the UK GDPR can transfer personal data to a ‘third country’ (one that is located outside the UK) if:
- there are adequacy regulations in respect of the country in which the receiver is located (a list of which can be found on the ICO website); or
- ‘appropriate safeguards’ are put in place and you have undertaken a transfer impact assessment and implemented any additional measures required; or
- an exception within the UK GDPR applies.
The most common safeguard has historically been the use of standard contractual clauses, but the Transitional SCC’s had certain shortcomings. These have therefore been superseded by the New SCCs for data controllers required to comply with EU GDPR and the IDTA for data controllers required to comply with UK GDPR. Data Controllers required to comply with both regimes can use the New SCC’s in conjunction with the Addendum. Any form of standard contractual clauses (whether an IDTA or the New SCCs with an Addendum) must be supplemented by a transfer impact assessment to satisfy yourself that the data subjects continue to have protection that is ‘essentially equivalent’ to that provided by the UK’s regime. This risk assessment should take into account the protections offered by the safeguard and the legal framework of the recipient country. Additional safety measures will be required if the safeguard alone is not sufficient to ensure equivalent protection.
Larger businesses transferring personal data between group companies may instead wish to consider utilising binding corporate rules.
Should you use the IDTA or the Addendum?
The IDTA comprises a tabular first section, the majority of which includes tick-boxes and guided data-entry spaces, followed by a set of mandatory clauses which cannot be amended. This contrasts with, and is likely to be more user-friendly than, the new EU SCCs which are a modular template agreement.
It should be noted that the IDTA must be supplemented by a ‘linked agreement’, such as a data processing agreement, to deal with data processor obligations under Article 28 where the recipient is a processor or sub-processor. This can add flexibility to arrangements as additional terms can be included as long as they do not diminish the protections provided by the IDTA.
The Addendum can be used instead of the IDTA and is likely to be of particular interest for organisations that are subject to both the UK GDPR and the EU GDPR. It is a relatively short supplement to the new EU SCCs to ensure compliance with both data protection regimes. Given its shorter length, it may also be more attractive to organisations who are already familiar with the EU SCCs. Moreover, it contains data processor clauses pursuant to Article 28 which avoids the need for an additional data processing agreement.
If you would like to discuss this blog or any other commercial contract query, please contact a member of the Commercial team and we will be delighted to assist you.