Shorter Reads

Data privacy update: International data transfers

The ICO has announced changes regarding sending data outside the UK.

3 minute read

Published 17 May 2022

Authors

Share

Key information

1. What has changed?
The Information Commissioner’s Office (ICO), which regulates privacy and data protection under the UK GDPR, recently announced changes to the mechanisms for sending personal data overseas.

In particular, the ICO has published new guidance and documents relating to transfers of personal data outside the UK. The key document is the International Data Transfer Agreement (IDTA), which supersedes the old standard contractual clauses (SCCs) that were used by organisations while the UK was still part of the EU. Organisations that transfer personal data subject to the UK GDPR outside the UK to countries that do not have ‘adequacy’ status will therefore need to update existing arrangements accordingly.

If organisations also handle personal data subject to the EU GDPR (for example, personal data concerning customers normally resident in the European Economic Area (EEA)), then it should be noted the old SCCs have been replaced by a new set of SCCs published in. June 2021 by the European Commission. If both the EU GDPR and the UK GDPR apply to personal data that is being transferred internationally, the new EU SCCs can be supplemented by a UK-specific addendum (Addendum) that has been published by the ICO as an alternative to using the IDTA.

2. In what circumstances do the new arrangements apply?
The new requirements are applicable to international transfers of personal data subject to the UK GDPR. This means personal data concerning individuals based in the UK who are offered goods and services or whose behaviour in the UK is monitored. The new requirements can therefore apply to organisations that are not themselves UK-based if they process this kind of personal data.

Similarly, EU arrangements apply to international transfers of personal data subject to the EU GDPR (so personal data concerning EEA-based individuals who are offered goods and or whose behaviour in the EEA is monitored). The EU GDPR continues to apply to UK-based organisations, therefore, to the extent that they process personal data of this kind.

The new requirements apply only when personal data is transferred to countries that do not have an ‘adequacy’ decision in place from either the UK or EU – whichever is relevant (currently the list of such countries for each is the same – with the exception that the EU and UK both recognise each other as adequate). Adequacy decisions are in place for those countries considered to have sufficient data protection measures in place without the need for additional safeguards around data transferred there. The most obvious example of a country where there is no adequacy decision in place – but to which relevant data transfers frequently occur – is the USA.

3. What do I need to do?
Consider the arrangements your organisation has in place covering international transfers of personal data. Where transfers take place, and there is no adequacy decision for the destination country, the appropriate safeguards must be in place in order to comply with the UK GDPR and EU GDPR for any data to which that applies.

To ensure the appropriate safeguards are up to date the data exporter and importer should either:

  • to the extent the UK GDPR applies to the exported data, sign a version of the International Data Transfer Agreement ; or
  • if an organisation exports personal data that is subject to both the UK GDPR and EU GDPR, then where an agreement is already in place that includes the updated European Commission’s 2021 SCCs, sign a version of the Addendum supplementing the SCCs. This is likely to be most relevant for organisations transferring data that is subject to both UK and EU GDPR since it will ensure compliance with both regimes.

One of these agreements should also be concluded for any new data transfer arrangements.

Organisations transferring data subject to the EU GDPR should ensure the relevant contracts incorporate the new SCCs as published in June 2021, rather than the old version.

4. When do I need to make the changes?
The UK IDTA and Addendum have been in force and available to use since 21 March 2022. The old EU SCCs alone (without the Addendum) will, however, be considered sufficient to provide the necessary safeguards for all transfers subject to the UK GDPR concluded before 21 September 2022 (providing that the processing operations have not changed), until 21 March 2024. After that date, the Addendum must be used in addition to the new SCCs, or the UK IDTA used as an alternative. This will therefore necessitate some repapering of contracts involving these kind of transfers, which we would recommend starting as soon as possible.

For agreements made after 21 September 2022, the UK IDTA or Addendum should be used from the start of the arrangement.

5. What else should I consider?
To inform decisions about what safeguards are required whenever personal data is being transferred internationally, data exporters are required to undertake and document a transfer risk assessment in each case. It is important to have this in place as part of your internal audit trail in order to demonstrate compliance with the accountability principle under the UK GDPR and EU GDPR.

6. Checklist / summary

  • If your organisation transfers personal data outside the UK to a country that does not have an adequacy decision in place, you need to make changes to the contracts governing the transfer arrangements.
  • Undertake and document a transfer risk assessment to understand the context of the transfer and the appropriate safeguards required.
  • For existing transfer arrangements (safeguarded by the ‘old’ SCCs) – implement the IDTA or Addendum by 21 March 2024.
  • For new or significantly modified transfer arrangements – implement the IDTA or Addendum from the start of the contract (and this is compulsory after 21 September 2022).

Collyer Bristow is happy to advise on the implementation of these new requirements, and the detail of the IDTA/Addendum in your organisation. Please get in touch if you require assistance.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Data privacy update: International data transfers

The ICO has announced changes regarding sending data outside the UK.

Published 17 May 2022

Associated sectors / services

  • Data Protection

Authors

1. What has changed?
The Information Commissioner’s Office (ICO), which regulates privacy and data protection under the UK GDPR, recently announced changes to the mechanisms for sending personal data overseas.

In particular, the ICO has published new guidance and documents relating to transfers of personal data outside the UK. The key document is the International Data Transfer Agreement (IDTA), which supersedes the old standard contractual clauses (SCCs) that were used by organisations while the UK was still part of the EU. Organisations that transfer personal data subject to the UK GDPR outside the UK to countries that do not have ‘adequacy’ status will therefore need to update existing arrangements accordingly.

If organisations also handle personal data subject to the EU GDPR (for example, personal data concerning customers normally resident in the European Economic Area (EEA)), then it should be noted the old SCCs have been replaced by a new set of SCCs published in. June 2021 by the European Commission. If both the EU GDPR and the UK GDPR apply to personal data that is being transferred internationally, the new EU SCCs can be supplemented by a UK-specific addendum (Addendum) that has been published by the ICO as an alternative to using the IDTA.

2. In what circumstances do the new arrangements apply?
The new requirements are applicable to international transfers of personal data subject to the UK GDPR. This means personal data concerning individuals based in the UK who are offered goods and services or whose behaviour in the UK is monitored. The new requirements can therefore apply to organisations that are not themselves UK-based if they process this kind of personal data.

Similarly, EU arrangements apply to international transfers of personal data subject to the EU GDPR (so personal data concerning EEA-based individuals who are offered goods and or whose behaviour in the EEA is monitored). The EU GDPR continues to apply to UK-based organisations, therefore, to the extent that they process personal data of this kind.

The new requirements apply only when personal data is transferred to countries that do not have an ‘adequacy’ decision in place from either the UK or EU – whichever is relevant (currently the list of such countries for each is the same – with the exception that the EU and UK both recognise each other as adequate). Adequacy decisions are in place for those countries considered to have sufficient data protection measures in place without the need for additional safeguards around data transferred there. The most obvious example of a country where there is no adequacy decision in place – but to which relevant data transfers frequently occur – is the USA.

3. What do I need to do?
Consider the arrangements your organisation has in place covering international transfers of personal data. Where transfers take place, and there is no adequacy decision for the destination country, the appropriate safeguards must be in place in order to comply with the UK GDPR and EU GDPR for any data to which that applies.

To ensure the appropriate safeguards are up to date the data exporter and importer should either:

  • to the extent the UK GDPR applies to the exported data, sign a version of the International Data Transfer Agreement ; or
  • if an organisation exports personal data that is subject to both the UK GDPR and EU GDPR, then where an agreement is already in place that includes the updated European Commission’s 2021 SCCs, sign a version of the Addendum supplementing the SCCs. This is likely to be most relevant for organisations transferring data that is subject to both UK and EU GDPR since it will ensure compliance with both regimes.

One of these agreements should also be concluded for any new data transfer arrangements.

Organisations transferring data subject to the EU GDPR should ensure the relevant contracts incorporate the new SCCs as published in June 2021, rather than the old version.

4. When do I need to make the changes?
The UK IDTA and Addendum have been in force and available to use since 21 March 2022. The old EU SCCs alone (without the Addendum) will, however, be considered sufficient to provide the necessary safeguards for all transfers subject to the UK GDPR concluded before 21 September 2022 (providing that the processing operations have not changed), until 21 March 2024. After that date, the Addendum must be used in addition to the new SCCs, or the UK IDTA used as an alternative. This will therefore necessitate some repapering of contracts involving these kind of transfers, which we would recommend starting as soon as possible.

For agreements made after 21 September 2022, the UK IDTA or Addendum should be used from the start of the arrangement.

5. What else should I consider?
To inform decisions about what safeguards are required whenever personal data is being transferred internationally, data exporters are required to undertake and document a transfer risk assessment in each case. It is important to have this in place as part of your internal audit trail in order to demonstrate compliance with the accountability principle under the UK GDPR and EU GDPR.

6. Checklist / summary

  • If your organisation transfers personal data outside the UK to a country that does not have an adequacy decision in place, you need to make changes to the contracts governing the transfer arrangements.
  • Undertake and document a transfer risk assessment to understand the context of the transfer and the appropriate safeguards required.
  • For existing transfer arrangements (safeguarded by the ‘old’ SCCs) – implement the IDTA or Addendum by 21 March 2024.
  • For new or significantly modified transfer arrangements – implement the IDTA or Addendum from the start of the contract (and this is compulsory after 21 September 2022).

Collyer Bristow is happy to advise on the implementation of these new requirements, and the detail of the IDTA/Addendum in your organisation. Please get in touch if you require assistance.

Associated sectors / services

  • Data Protection

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up

    Find out about Business

    Find out about Dispute Resolution

    Find out about Individuals & Families

    Find out about Real Estate

    We are Collyer Bristow - The law firm for those that
    value individuality, creativity and collaboration.

    Legal & Pricing info Regulatory InformationAccessibilitySitemapPricing and service information

    Listen to our latest podcast: Budget Miniseries: Impacts on Families with US Connections (Part 1)

    Listen to our latest podcast: Cracking the Code on Directors’ Service Agreements

    Read our latest article: Economist, or just economical with the truth? How can employers respond to ‘fake claims’ on a CV?

    Listen to our latest podcast: Autumn Budget 2024 Special (Part 2)

    Read our latest article: ‘Promoting the integrity of the register’: The new Companies House approach to non-compliance

    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close