It seems like only yesterday we wrote about the ICO’s new International Data Transfer Agreement (IDTA) and the UK Addendum to the EU’s Standard Contractual Clauses (UK SCCs) but in fact it was almost two years ago.
The ITDA and the UK SCCs are mechanisms that organisations subject to UK GDPR can use to enable lawful exports of personal data to other countries whose laws do not offer adequate legal protection to data subjects. The IDTA and UK SCCs are intended to create binding contractual obligations equivalent to the requirements of UK GDPR between the data exporter and the data importer. For data transfers to countries which fall within the UK Government’s adequacy decision an IDTA or UK SCCs are not required[1]. This includes all countries of the EEA and a relatively small number of other countries with full adequacy[2]. Canada, Japan and the USA have partial adequacy (see our article for more information about the UK-US Data Bridge arrangements).
The UK SCCs incorporate the latest version of the EU SCCs which took effect from September 2021. In the UK, the old EU SCCs ceased to be valid for new contracts from September 2022 but for existing contracts data exporters were permitted to continue to rely on the old EU SCCs. However, with effect from 21 March 2024 data exporters subject to UK GDPR can no longer rely on the old EU SCCs and need to take steps to replace them.
In practice and due to increased awareness of UK GDPR data export requirements among the larger international data importers, it is unlikely that there will be a substantial number of arrangements to be replaced. That said, it is a timely reminder of the need for data exporters to undertake regular international data transfer risk assessments and ensure that their international data transfer arrangements, privacy notices, policies and procedures keep pace with developments in the law and technology.
For further information please contact Anne Todd or Emily Aggett in our Data Protection & Privacy Team.
[1] A data processing agreement is still required between the controller and processor in the usual way.
[2] At the time of writing: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Hosted and sponsored by Michelmores and organised by the SCL Tech Transactions Group. Join SCL’s Technology Transactions Group on 28 November 2024 for a half day event focusing on how...
Our next MAINstream Pitch Event will be taking place at our Exeter office on Tuesday 3 December. There will be time to catch up over...