-
InsightsInsight - Commercial Law - POSTED: March 7 2024
International data transfers – deadline to incorporate standard contractual clauses or International Data Transfer Agreement
- Share this article
- Print this article
-
UK businesses that transfer personal data out of the UK to a country not deemed “adequate” by the UK Government will have until 21 March 2024 to update existing contracts to ensure compliance with the General Data Protection Regulation (GDPR).
The recent £1.04bn fine handed down by the Irish Data Protection Authority to Facebook’s owner, Meta, for breaches of GDPR serves as a potent reminder of the grave consequences of noncompliance and of the importance of businesses’ seeking advice if they are unsure of their duties under the legislation.
UK GDPR: An Overview
The UK GDPR restricts the transfer of personal data to receivers outside of the UK where that country is not covered by UK adequacy regulations (i.e. a country that the UK government does not regard as providing adequate protection for individuals’ personal data).
Any contracts involving restricted data transfers (i.e. transfers of data not covered by the UK adequacy regulations) need to incorporate one of the data protection clauses approved by the UK Information Commissioner’s Office (ICO). This could take the form of either:
- an International Data Transfer Agreement (IDTA); or
- incorporation of the EU Standard Contractual Clauses (SCC’s) together with the UK’s own Addendum. Importantly, the new SCC’s are not valid for restricted transfers under UK GDPR unless they are issued in conjunction with the UK’s own Addendum.
Importantly, all contracts on the basis of the old EU Standard Contractual Clauses will only continue to provide adequate protection for the purposes of UK GDPR until 21 March 2024. From that date, existing contracts dealing with restricted transfers of personal data will need to be transitioned to incorporate either the IDTA or EU SCCs and UK Addendum.
Which transfer mechanism should I use?
Ultimately, the transfer mechanism that you use will depend on the personal data that you are transferring.
- International Data Transfer Agreement – this is a standalone document providing appropriate safeguards for a restricted transfer of personal data from the UK. This is essentially the UK’s equivalent to the EU SCC’s. The IDTA is likely to be the most appropriate mechanism if your organisation is established in the UK and doesn’t provide any goods or services into the EU.
- UK Addendum – this is a short document that is intended to be issued in conjunction with the new EU SCC’s and effectively applies the EU SCC’s to a transfer of personal data from the UK (with some minor UK-specific amendments). This option may be more suitable for UK organisations that have an exposure to EU GDPR anyway – e.g. by being part of a group with one or more entities established in the EU or which offers goods and services to customers in the EU.
Importantly, it is still necessary to undertake a transfer risk assessment (TRA) of the country to which you are transferring personal data. If the TRA reveals gaps in the protection afforded in that particular country, supplementary measures should be adopted to ensure there is an equivalent level of protection for personal data as in the UK (or EU, as appropriate).
The ICO has issued a Transfer Risk Assessment Tool, which may be a useful starting point before carrying out your transfer risk assessments. Please note, we are expecting further ICO guidance on how transfer risk assessments should be completed in due course.
Checklist
With the impending deadline for incorporating either the IDTA or EU SCC’s and UK Addendum looming, it is advisable that organisations:
- Consider data flows – do you transfer personal data outside of the UK and is this necessary in order to meet your purposes? Is it possible that these purposes can be met without transferring personal data outside of the UK?
- Review contracts that involve international transfers of personal data – do any of these contracts incorporate legacy/old EU SCC’s that need to be updated to incorporate the IDTA or EU SCC’s and UK Addendum before 21 March 2024?
- For any new contracts involving an international transfer of personal data – incorporate the IDTA or EU SCC’s and UK Addendum.
- Conduct or update transfer risk assessments where necessary and consider whether any supplementary measures are required when transferring personal data internationally.
Further guidance and support
If you require any help or advice on any of the information in this article, please get in touch with our team. Our commercial law solicitors are based in Maidstone and Canterbury and are ready to help with any legal advice you may require so please get in touch today.
This content is correct at time of publication
Can we help?
Take a look at our Commercial Law page for useful information, resources, guidance, details of our team and how we may be able to help you
-
Key contact:
Get in touch
Please fill out the below form or alternatively you can call us on 01622 690691