Posted: 10/02/2022
Following the end of the ICO’s consultation (discussed in our September update), final versions of the new standard form International Data Transfer Agreement (IDTA) and Addendum to the new EU Standard Contractual Clauses (SCC Addendum) have been approved by Parliament and came into force on 21 March 2022.
The IDTA replaces the EU Standard Contractual Clauses (SCCs) as the transfer tool for transfers of personal data from the UK to countries not covered by adequacy decisions recognised by the UK. The IDTA is needed because although the EU issued new SCCs in June last year, following Brexit, these are not valid for transfers of personal data from the UK. To simplify the transfer documentation for organisations that are subject to both the EU and UK GDPR, the Information Commissioner’s Office (ICO) released the SCC Addendum to be used for UK data transfers alongside the new EU SCCs, instead of the IDTA.
For contracts signed on or before 21 September 2022, there is a transitional period until 21 March 2024 during which parties may continue to use the old EU SCCS, adapted for use in the UK context, for transfers from the UK. This is on the proviso that there are no changes to the processing operations and the subject matter of the contract, and reliance on those clauses ensures that the transfer of data is subject to appropriate safeguards.
Organisations need to consider their personal data transfers from the UK and ensure that they are ready to:
In addition, organisations that transfer personal data from the EU/EEA to third countries in reliance on the old EU SCCs will need to ensure that those are replaced with the new EU SCCs for ongoing transfers, by no later than 27 December 2022.
The ICO is developing additional tools to provide support and guidance to organisations using the IDTA and SCC Addendum, as well as guidance on carrying out the transfer risk assessments needed when using the IDTA or SCC Addendum (to establish whether any additional safeguards are required to protect personal data in the third country, in compliance with the Schrems II judgment). These will be published soon. In the meantime, organisations should review their approach to cross border data transfers in order to identify contracts that need to be updated and data transfer impact assessments (DTIAs) that need to be carried out.
If you would like to discuss your organisation’s international data transfers please get in touch with your usual Penningtons Manches Cooper contact or Joanne Vengadesan or Anna Frankum. We are on hand to provide specialist data protection advice.
This article was updated on 1 April to reflect that the IDTA and SSC Addendum did come into force on 21 March 2022.
© 2024 Penningtons Manches Cooper LLP.
All rights reserved.
Website design by Frontmedia / Dynamic Pear
Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.
Return to news headlines