Monday 21 March 2022 saw changes made in the UK as to how international personal data transfers are to be conducted, following the Information Commissioners Office (ICO) consultation carried out in 2021. Exporters transferring personal data outside of the UK are able to freely do so as long as the country they are transferring to, meets the UK’s adequacy regulations, meaning the UK is satisfied with the countries safeguarding of personal data and it meets the UK GDPR requirements. If the transfer is to a country which does not meet the level of adequacy required, additional provisions are needed to allow the safe transfer of data in accordance with section 47 of the UK GDPR. The changes made are only relevant when this is the case.
Exporters of data who have been required to transfer personal data outside of the UK to a country which fails to meet the adequacy requirements have been using the required European Commission’s Standard Contractual Clauses (SCC’s) within their agreements to comply with the UK GDPR.
The current changes allow exporters of data to use the International Data Transfer Agreement (IDTA) or continue to use the SCC’s with the addition of the new International Data Transfer Addendum (UK Addendum). From 21 March 2022, either option is available for an organisation to use, to comply with Article 46 of the UK GDPR when transferring personal data outside of the UK to a country which fails to meet the adequacy legislation.
Transitional arrangements are currently in place and exporters of personal data can use the SCC’s used to date until 21 September 2022, from which date, only the new arrangements will be valid for transfers of personal data from the UK. Any contracts which are agreed prior to this date and using the SCC’s which have been used thus far, are able to continue with these so long as they continue to provide appropriate safeguards and the activities remain unchanged for the purpose of Article 46 of the UK GDPR, until 21 March 2024.
The IDTA replaces the SCCs to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. The Addendum to the SCC’s is merely incorporating and replacing the references to EU laws with the UK laws, allowing organisations to use the SCCs for international data transfers from the EU, but also from the UK.
An organisation can make a commercial decision to choose between using the IDTA or the SCCs with the Addendum.
These changes are only relevant for those organisations which export personal data to a country which does not meet the safeguarding requirements of the UK GDPR under the adequacy regulations. The list of countries who meet the adequacy regulations can be found on the Information Commissioner’s website. We recommend relevant organisations to consider their current agreements/contracts and how they wish to move forward with these changes to adhere to the new regime.
The IDTA and the Addendum with the new SCC’s are available on the ICO website.