Search

The UK Parliament has given its approval of the new Standard Contractual Clauses for UK transfers to countries without a finding of ‘adequacy’ (“UK SCCs”). The new UK SCCs will take the form of the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum (“UK Addendum”) which acts as an addendum to the European Commission’s (“EC”) new standard contractual clauses (“EU SCCs”). This follows the EC’s announcement of its new EU SCCs last year.

 

What are ‘Standard Contractual Clauses’?

The UK GDPR only permits the transfer of personal data outside of the UK on specific grounds and subject to suitable safeguards. Following Brexit, the UK adopted the same finding of ‘adequacy’ for the countries that had been similarly granted such status by the EC (as at 31 December 2020). These include, among others, all EEA countries, Gibraltar, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

However, if you want to transfer data to other countries which do not have a finding of ‘adequacy’, there are more stringent requirements that you will need to comply with in order to evidence that the data will receive the same level of protection in that country. The most common way of ensuring compliance (especially since the ruling invalidating the EU-US Privacy Shield) has been for you and the recipient party to enter into the EU SCCs which govern that transfer. Going forward, for transfers out of the UK, these will now be either the IDTA or the UK Addendum.

 

What are the IDTA and UK Addendum?

Both the IDTA and UK Addendum are useful tools to allow you to transfer personal data outside of the UK but they do differ in that:

  • The IDTA is effectively the UK’s version of the EU SCCs and so its use will be more appropriate where your transfers outside of the UK are just subject to the UK GDPR; whereas
  • The UK Addendum is an addendum to the new EU SCCs which incorporates the relevant UK legal references into the EU SCCs so that it covers both the UK GDPR and the EU GDPR. This will be more useful where your business is transferring personal data outside of the UK and the EU to third countries.

 

What do I need to do?

There are two key changes that you need to be aware of in respect of your contracts governing the transfer of personal data from the UK to a country that doesn’t have a finding of ‘adequacy’:

  1. New Contracts – any new contracts entered into after 21 September 2022 must include either the IDTA or UK Addendum. However, as you will be able to use the new UK tools from 21 March 2022, it would be sensible to use them now for any new contracts. 
  2. Existing Contracts - if you have any contracts which are already in place (or are entered into before the final cut-off on 21 September 2022 and using the old EU SCCs), these will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR but they must be amended to include either the IDTA or UK Addendum by 21 March 2024.

 

How can Roxburgh Milkins help?

We provide a number of data protection services, including a full GDPR audit - looking into all areas of data protection compliance - and a shorter checklist service, which focuses on the key GDPR data protection principles.

Both of these include a review of your use of third-party data processors and the contract terms you have in place with those processors, which will help to identify if you are transferring data to the third countries without a finding of adequacy and therefore if you need to take any of the actions described above.

If you already have details of your data transfer and processing arrangements from the UK to third countries and/or have standard contracts in place for data transfer and processing arrangements, we can help you update your contracts to incorporate the new UK SCCs, to ensure you’re compliant with the new legal framework.

If you have any questions regarding this note, or would like further advice, please contact us at commercial@roxburghmilkins.com.