EU and UK-based organisations regularly need to transfer personal data to different countries for a variety of reasons – project collaborations, partnerships, service providers etc.
With the increasing complexity of global privacy legislation, it is vital for organisations to have the appropriate safeguards in place for these transfers. This ensures compliance with data protection laws, mitigates the risk of a data breach, and helps to maintain the trust of customers, stakeholders, and employees.
There are several safeguarding options, depending on the nature of the data, where the individuals are located, and where the data is being sent.
In this blog, we take a look at the EU Standard Contractual Clauses (EU SCCs), the UK Addendum, and the UK International Data Transfer Agreement (IDTA), explaining the suitability of each mechanism for EU and UK personal data transfers and the factors to consider.
EU Standard Contractual Clauses (EU SCCs)
EU SCCs are one of the most commonly used data transfer mechanisms. They are popular because they have pre-approval by the European Commission and a level of assurance for compliance with the General Data Protection Regulation (GDPR).
The European Commission published new EU SCCs on 4 June 2021, allowing organisations to use these for data transfers from the European Economic Area (EEA) to third countries from 27 June 2021.
UK Addendum
As the UK is no longer part of the EEA, UK organisations cannot rely on the new EU SCCs. Only the old EU SCCs were valid in the UK until the Information Commissioner’s Office (ICO) introduced their own solution in the form of an Addendum, which came into force on 21 March 2022.
The UK Addendum allows organisations to use the new EU SCCs for UK personal data transfers, ensuring compliance with both EU and UK data protection laws. A helpful solution for organisations with locations across the EU and the UK.
The old EU SCCs expired on 27 December 2022. Any existing UK contracts have until 21 March 2024 to transition to the new EU SCCs with UK Addendum or the IDTA.
UK International Data Transfer Agreement (IDTA)
The International Data Transfer Agreement (IDTA) was developed by the UK’s Information Commissioner’s Office (ICO) and has been in force since 21 March 2022. It is a legal framework for transferring personal data from the UK to countries outside the European Economic Area (EEA) not covered by adequacy decisions (these are known as UK Restricted Transfers).
The IDTA is an alternative to the EU SCCs with the UK Addendum but is only suitable for transferring personal data from the UK.
The IDTA sets out contractual obligations for both the data exporter (in the UK) and the data importer (in the third country) to protect the privacy and rights of individuals whose data is being transferred. It includes clauses on data handling, processing, security measures, and the rights of individuals.
Should you use EU SCCs, UK IDTA or UK Addendum?
There are fundamental questions you should ask when choosing the most appropriate data transfer mechanism for your organisation. These include understanding the type of data being transferred, the frequency and volumes, and the countries involved.
Here’s a helpful list of questions to consider and an overview of which mechanism to use for EU or UK data:
- Where do the individuals reside? EU, UK or both?
- Are there any inter-company binding rules in place? If so, further mechanisms may not be required
- Are you transferring data to an adequate country? If yes, the transfer can proceed, following the specific adequacy decision frameworks
- Are you making a regular transfer to a non-adequate country? If yes, see EU SCCs or UK Addendum or IDTA
The DPO Centre can help with your international data transfer queries
- One of the largest teams of outsourced Data Protection Officers (DPOs) available
- GDPR EU and UK Representatives
- Specialist Advice Line offering a rapid response to important data protection queries
- Highly cost-effective solutions
We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind.
