New International Data Transfer Agreement Gets The All Clear

Organisations now have mechanisms in place to replace the EU standard contractual clauses (SCCs) to protect personal data. With little fanfare the UK’s International Data Transfer Agreement (IDTA) and Addendum passed its political hurdle in Parliament and came into effect in March.

These latest transfer agreements replace the old EU SCCs upon which businesses have needed to rely previously to comply with the requirements under article 46 of the UK GDPR. This is to provide appropriate safeguards for personal data transferred from the UK to countries which are not covered by the UK’s adequacy regulations.

However, don’t panic if you have been using the old SCCs for your data needs. Fortunately, there is no immediate rush to transition to the new documentation. There’s a grace period, so the old SCCs are still valid (for the UK only) until 21 September 2022.

Be mindful though that all transfers based on the old SCCs must be transitioned to the IDTA or Addendum by 21 March 2024. However, just to complicate things there is another deadline. This is for organisations subject to both the EU GDPR and the UK GDPR looking to harmonise their contractual approach to restricted transfers and achieve efficiencies by doing everything in one hit.

The time limit is the 27th December 2022 under the EU GDPR for transitioning legacy arrangements to the new EU SCCs. Whilst there may be specific circumstances where it is appropriate, we would query why, regardless of the grace period, an organisation would use the old SCCs, when the IDTA and Addendum are available.

Let’s be clear. In circumstances where you use these new transfer agreements, you will still need to undertake a risk-based assessment of the law in the relevant non-adequate third country and consider whether any additional safeguards are required to protect personal data.

So, when can you transfer personal data to a third country outside the UK? Controllers and processors subject to UK GDPR can do this when:

• An adequacy decision exists in relation to that country.

• A suitable derogation exists which covers the circumstances of the transfer (e.g., occasional transfer for a number of limited purposes or where the data subject has given explicit, informed consent to the transfer).

• An appropriate safeguarding mechanism is used, such as SCC or binding corporate rules, which helps to ensure that UK standards of personal data protection travel with the data. When the European Commission (EC) published the old SCC, it approved them for use in the EU which included, at that time, the UK.

The good news is that personal data can be freely transferred between the UK and EEA because the UK has recognised the EEA, and – for the time being at least – the EC has reciprocated to the UK as having adequacy meaning equivalent levels of data protection.

The ICO website has the list of countries covered by UK adequacy regulations. For an audit to check if you are UK GDPR compliant contact Allotts on 01423 867264.