UK data transfer

New UK standard contractual clauses to enable the transfer of personal data transfers from the UK internationally come into effect on 21st March 2022.

The UK GDPR (the UK’s retained version of the EU General Data Protection Regulations) restricts the transfer of personal data to countries outside of the UK or to international organisations unless the receiver of the personal data is located within a third country, territory or international organisation covered by a UK “adequacy decision” (where the UK considers the legal framework in that country, territory or international organisation provides adequate protection for individuals’ rights and freedoms for their personal data).

For any transfer of personal data to a country not covered by an adequacy decision (for example, the US), appropriate safeguards must be put in place before the transfer of personal data is made. 

One such appropriate safeguard is that the person making the transfer and the person receiving that data enter into a contract that incorporates standard data protection clauses recognised or issued in accordance with the UK GDPR (known as standard contractual clausesSCCs or model clauses) before the transfer of personal data is made.

Why have updates been made?

Following Brexit, organisations within the UK wishing to transfer personal data from the UK must use the old EU standard contractual clauses (the Old EU SCCs). 

However, recent developments in data protection law across Europe and the result of the Schrems II case has seen the European Commission adopt a new set of standard contractual clauses in 2021 (the New EU SCCs) for use by organisations wishing to make a personal data transfer from the EU and therefore the Information Commissioner’s Office (ICO) has been considering its own approach to data protection to address such issues.

New UK SCC’s 

On 28th January 2022, the ICO issued new data protection clauses which will replace the Old EU SCCs as part of its International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (UK Addendum). The IDTA and the UK Addendum form part of the UK’s process of developing its own data protection regime following Brexit.

The IDTA and UK Addendum contain new data protection clauses for organisations making restricted transfers under the UK GDPR and the Data Protection Act 2018 and will be in force from 28th March 2022 (provided Parliament raises no objections). 

Data Transfers The New Regime

However, transfer arrangements within the UK using the Old EU SCCs, and concluded before 21st September 2022, will continue to be valid until 21st March 2024 (unless the underlying processing operations change before such date). 

Therefore, after 21st September 2022:

  • for new arrangements - organisations must use the IDTA or the UK Addendum (as appropriate); and 
  • for existing arrangements - the Old EU SCCs must be replaced by 21st March 2024.

When should the UK Addendum be used?

The UK Addendum is to be used where the international transfers of personal data are subject to the EU GDPR and the UK GDPR. In this instance, the UK Addendum contains both terms to allow for the transfer of personal data from the UK and the New EU SCCs to allow for the transfer of personal data from the EU. 

When should the IDTA be used?

The IDTA is an alternative to the UK Addendum and is intended to be used by UK-based organisations and only process personal data to which the UK GDPR applies. 

Next steps

Organisations making transfers of personal data from either the UK and/or the EU should consider the following steps:

  • conduct a review of the organisation’s contractual commitments and arrangements to identify:
    • any new agreements where the use of the IDTA or the UK Addendum are required; and/ or
    • any existing agreements which require updating prior to 21st March 2024; and
  • before making a transfer of any personal data, conduct a transfer risk assessment to identify whether supplementary measures are required before any transfer is made, i.e., whether the IDTA or UK Addendum are required within the appropriate agreements. 

Here to help

For more information and guidance on preparing your business for the changes in data protection law, you can contact our specialist Data Protection Team below.

Contact Myerson Solicitors

Complete the form below, or alternatively, you can call Myerson Solicitors on:

0161 941 4000