Since Brexit, on 31 January 2020, the EU and the UK’s development of the General Data Protection Regulation (“GDPR”) could begin to diverge. The European Commission adopted new Standard Contractual Clauses for the transfer of personal data from the EEA to Non-GDPR adequate countries (the “New EU SCCs”).
Separately, but in a similar vein, on the 28th of January 2022, the UK’s Information Commissioner’s Office (“ICO”) announced that the international data transfer agreement (the “IDTA”), which is ofttimes referred to as the ‘UK standard contractual clauses’, can indeed be used as an appropriate safeguard for transferring data outside of the UK and ensuring compliance with the UK GDPR (the retained EU law version of the GDPR).
This overlapping update to contractual transfer mechanisms have given companies additional regulatory burdens. To simplify the process, for organisations that transfer personal data outside of the EU/EEA, the UK will recognise the New EU SCCs as appropriate safeguards for transfers out of the UK, subject to the parties also using the international data transfer addendum (“IDTA Addendum”) in addition to the New EU SCCs. This allows organisations to use only one set of SCCs: the New EU SCCs together with the IDTA Addendum, instead of both the New EU SCCs and the IDTA.
See here for further background information on the IDTA.
Deadline
For contracts entered into on or after 21 September 2022 (the “IDTA deadline”), organisations transferring UK originated personal data will be required to use the IDTA, or the New EU SCCs together with the IDTA Addendum.
What next?
In light of the fast-approaching IDTA Deadline, organizations conducting restricted transfers from the EU/ EEA or the UK to third countries not covered by EU ‘adequacy decisions’ need to take immediate action and incorporate either the IDTA or the New EU SCCs together with the IDTA Addendum in order to ensure compliance with the UK GDPR. Find the list of the countries recognised by the European Commission as providing adequate protection here.
The ICO has published additional guidance to provide support to organisations navigating this transition. See the ICO’s statement here.
Please contact Jose Saras if you have any questions or need assistance incorporating the IDTA or the New EU SCCs together with the IDTA Addendum.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.