Shorter Reads

Data privacy update: International data transfers

The ICO has announced changes regarding sending data outside the UK.

3 minute read

Published 17 May 2022

Authors

Share

Key information

  • Specialisms
  • Business
  • Services
  • Data Protection

1. What has changed?
The Information Commissioner’s Office (ICO), which regulates privacy and data protection under the UK GDPR, recently announced changes to the mechanisms for sending personal data overseas.

In particular, the ICO has published new guidance and documents relating to transfers of personal data outside the UK. The key document is the International Data Transfer Agreement (IDTA), which supersedes the old standard contractual clauses (SCCs) that were used by organisations while the UK was still part of the EU. Organisations that transfer personal data subject to the UK GDPR outside the UK to countries that do not have ‘adequacy’ status will therefore need to update existing arrangements accordingly.

If organisations also handle personal data subject to the EU GDPR (for example, personal data concerning customers normally resident in the European Economic Area (EEA)), then it should be noted the old SCCs have been replaced by a new set of SCCs published in. June 2021 by the European Commission. If both the EU GDPR and the UK GDPR apply to personal data that is being transferred internationally, the new EU SCCs can be supplemented by a UK-specific addendum (Addendum) that has been published by the ICO as an alternative to using the IDTA.

2. In what circumstances do the new arrangements apply?
The new requirements are applicable to international transfers of personal data subject to the UK GDPR. This means personal data concerning individuals based in the UK who are offered goods and services or whose behaviour in the UK is monitored. The new requirements can therefore apply to organisations that are not themselves UK-based if they process this kind of personal data.

Similarly, EU arrangements apply to international transfers of personal data subject to the EU GDPR (so personal data concerning EEA-based individuals who are offered goods and or whose behaviour in the EEA is monitored). The EU GDPR continues to apply to UK-based organisations, therefore, to the extent that they process personal data of this kind.

The new requirements apply only when personal data is transferred to countries that do not have an ‘adequacy’ decision in place from either the UK or EU – whichever is relevant (currently the list of such countries for each is the same – with the exception that the EU and UK both recognise each other as adequate). Adequacy decisions are in place for those countries considered to have sufficient data protection measures in place without the need for additional safeguards around data transferred there. The most obvious example of a country where there is no adequacy decision in place – but to which relevant data transfers frequently occur – is the USA.

3. What do I need to do?
Consider the arrangements your organisation has in place covering international transfers of personal data. Where transfers take place, and there is no adequacy decision for the destination country, the appropriate safeguards must be in place in order to comply with the UK GDPR and EU GDPR for any data to which that applies.

To ensure the appropriate safeguards are up to date the data exporter and importer should either:

  • to the extent the UK GDPR applies to the exported data, sign a version of the International Data Transfer Agreement ; or
  • if an organisation exports personal data that is subject to both the UK GDPR and EU GDPR, then where an agreement is already in place that includes the updated European Commission’s 2021 SCCs, sign a version of the Addendum supplementing the SCCs. This is likely to be most relevant for organisations transferring data that is subject to both UK and EU GDPR since it will ensure compliance with both regimes.

One of these agreements should also be concluded for any new data transfer arrangements.

Organisations transferring data subject to the EU GDPR should ensure the relevant contracts incorporate the new SCCs as published in June 2021, rather than the old version.

4. When do I need to make the changes?
The UK IDTA and Addendum have been in force and available to use since 21 March 2022. The old EU SCCs alone (without the Addendum) will, however, be considered sufficient to provide the necessary safeguards for all transfers subject to the UK GDPR concluded before 21 September 2022 (providing that the processing operations have not changed), until 21 March 2024. After that date, the Addendum must be used in addition to the new SCCs, or the UK IDTA used as an alternative. This will therefore necessitate some repapering of contracts involving these kind of transfers, which we would recommend starting as soon as possible.

For agreements made after 21 September 2022, the UK IDTA or Addendum should be used from the start of the arrangement.

5. What else should I consider?
To inform decisions about what safeguards are required whenever personal data is being transferred internationally, data exporters are required to undertake and document a transfer risk assessment in each case. It is important to have this in place as part of your internal audit trail in order to demonstrate compliance with the accountability principle under the UK GDPR and EU GDPR.

6. Checklist / summary

  • If your organisation transfers personal data outside the UK to a country that does not have an adequacy decision in place, you need to make changes to the contracts governing the transfer arrangements.
  • Undertake and document a transfer risk assessment to understand the context of the transfer and the appropriate safeguards required.
  • For existing transfer arrangements (safeguarded by the ‘old’ SCCs) – implement the IDTA or Addendum by 21 March 2024.
  • For new or significantly modified transfer arrangements – implement the IDTA or Addendum from the start of the contract (and this is compulsory after 21 September 2022).

Collyer Bristow is happy to advise on the implementation of these new requirements, and the detail of the IDTA/Addendum in your organisation. Please get in touch if you require assistance.

Message us on WhatsApp

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Data privacy update: International data transfers

The ICO has announced changes regarding sending data outside the UK.

Published 17 May 2022

Associated sectors / services

Authors

1. What has changed?
The Information Commissioner’s Office (ICO), which regulates privacy and data protection under the UK GDPR, recently announced changes to the mechanisms for sending personal data overseas.

In particular, the ICO has published new guidance and documents relating to transfers of personal data outside the UK. The key document is the International Data Transfer Agreement (IDTA), which supersedes the old standard contractual clauses (SCCs) that were used by organisations while the UK was still part of the EU. Organisations that transfer personal data subject to the UK GDPR outside the UK to countries that do not have ‘adequacy’ status will therefore need to update existing arrangements accordingly.

If organisations also handle personal data subject to the EU GDPR (for example, personal data concerning customers normally resident in the European Economic Area (EEA)), then it should be noted the old SCCs have been replaced by a new set of SCCs published in. June 2021 by the European Commission. If both the EU GDPR and the UK GDPR apply to personal data that is being transferred internationally, the new EU SCCs can be supplemented by a UK-specific addendum (Addendum) that has been published by the ICO as an alternative to using the IDTA.

2. In what circumstances do the new arrangements apply?
The new requirements are applicable to international transfers of personal data subject to the UK GDPR. This means personal data concerning individuals based in the UK who are offered goods and services or whose behaviour in the UK is monitored. The new requirements can therefore apply to organisations that are not themselves UK-based if they process this kind of personal data.

Similarly, EU arrangements apply to international transfers of personal data subject to the EU GDPR (so personal data concerning EEA-based individuals who are offered goods and or whose behaviour in the EEA is monitored). The EU GDPR continues to apply to UK-based organisations, therefore, to the extent that they process personal data of this kind.

The new requirements apply only when personal data is transferred to countries that do not have an ‘adequacy’ decision in place from either the UK or EU – whichever is relevant (currently the list of such countries for each is the same – with the exception that the EU and UK both recognise each other as adequate). Adequacy decisions are in place for those countries considered to have sufficient data protection measures in place without the need for additional safeguards around data transferred there. The most obvious example of a country where there is no adequacy decision in place – but to which relevant data transfers frequently occur – is the USA.

3. What do I need to do?
Consider the arrangements your organisation has in place covering international transfers of personal data. Where transfers take place, and there is no adequacy decision for the destination country, the appropriate safeguards must be in place in order to comply with the UK GDPR and EU GDPR for any data to which that applies.

To ensure the appropriate safeguards are up to date the data exporter and importer should either:

  • to the extent the UK GDPR applies to the exported data, sign a version of the International Data Transfer Agreement ; or
  • if an organisation exports personal data that is subject to both the UK GDPR and EU GDPR, then where an agreement is already in place that includes the updated European Commission’s 2021 SCCs, sign a version of the Addendum supplementing the SCCs. This is likely to be most relevant for organisations transferring data that is subject to both UK and EU GDPR since it will ensure compliance with both regimes.

One of these agreements should also be concluded for any new data transfer arrangements.

Organisations transferring data subject to the EU GDPR should ensure the relevant contracts incorporate the new SCCs as published in June 2021, rather than the old version.

4. When do I need to make the changes?
The UK IDTA and Addendum have been in force and available to use since 21 March 2022. The old EU SCCs alone (without the Addendum) will, however, be considered sufficient to provide the necessary safeguards for all transfers subject to the UK GDPR concluded before 21 September 2022 (providing that the processing operations have not changed), until 21 March 2024. After that date, the Addendum must be used in addition to the new SCCs, or the UK IDTA used as an alternative. This will therefore necessitate some repapering of contracts involving these kind of transfers, which we would recommend starting as soon as possible.

For agreements made after 21 September 2022, the UK IDTA or Addendum should be used from the start of the arrangement.

5. What else should I consider?
To inform decisions about what safeguards are required whenever personal data is being transferred internationally, data exporters are required to undertake and document a transfer risk assessment in each case. It is important to have this in place as part of your internal audit trail in order to demonstrate compliance with the accountability principle under the UK GDPR and EU GDPR.

6. Checklist / summary

  • If your organisation transfers personal data outside the UK to a country that does not have an adequacy decision in place, you need to make changes to the contracts governing the transfer arrangements.
  • Undertake and document a transfer risk assessment to understand the context of the transfer and the appropriate safeguards required.
  • For existing transfer arrangements (safeguarded by the ‘old’ SCCs) – implement the IDTA or Addendum by 21 March 2024.
  • For new or significantly modified transfer arrangements – implement the IDTA or Addendum from the start of the contract (and this is compulsory after 21 September 2022).

Collyer Bristow is happy to advise on the implementation of these new requirements, and the detail of the IDTA/Addendum in your organisation. Please get in touch if you require assistance.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributors

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.