There has recently been an update to the UK General Data Protection Regulation (UK GDPR) introducing new documents for international personal data transfers outside the UK and EEA.
Earlier this year UK’s Information Commissioner’s Office (ICO) issued new template documents for the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses (the Addendum).
Why do I need approved documents when transferring personal data internationally?
The GDPR provides some of the toughest data protection rules in the world. EU citizens, therefore, have a right to be confident that their personal data will be protected if it is moved between states, including to countries that have not been granted adequacy.
Countries that are granted adequacy have been deemed by the European Commission to provide a level of data protection equivalent to that is provided by the EU.
Before transferring personal data to a third country (i.e. a nation that has not been granted adequacy), you should examine whether the transfer is necessary.
If you can achieve your objective through other means, it is preferable to keep the data private.
If you must transfer personal data to a third country, you must comply with the safeguards referred to in Article 46 of the UK GDPR.
This can be achieved by using the following:
- EU Standard Contractual Clauses
- An International Data Transfer Agreement (IDTA)
- The Addendum
All three options are explained below.
What are EU Standard Contractual Clauses (SCCs)?
SCCs are standardised contractual clauses that organisations moving data from the EU/EEA or a country that has been granted adequacy (for example, the UK) to a third country must use to ensure the rights and freedoms of the data subject are maintained during the transfer.
The SCCs provide appropriate protections for international data transfers compliant with Article 46 of the GDPR. They cannot be altered but can be enhanced if subject to appropriate safeguards.
In June 2021, the EU approved a new set of SCCs; however, the UK Government did not approve these. Therefore, UK-based organisations were forced to continue to use the old SCCs when transferring personal data to third countries.
The IDTA and the Addendum are, in effect, the UK version of the new EU SCCs
You can find the EU SCCs here.
What is an International Data Transfer Agreement (IDTA)?
International Data Transfer Agreements (IDTAs) are agreements that regulate the transfer of personal data between countries.
The IDTA is the ICO-drafted and approved UK version of the new EU Standard Contractual Clauses drafted and approved by the ICO in the UK.
The Addendum is designed to be used with the new EU Standard Contractual Clauses as an alternative to IDTAs.
They are typically inserted into administrative arrangements between public authorities, such as between government agencies or between a government and a private sector organisation.
IDTAs contain binding and enforceable commitments to protect the privacy and security of personal data during transfer. In some cases, IDTAs may require specific authorisation for the transfer of data, depending on the laws and regulations of the countries involved.
IDTAs are important tools for ensuring that personal data is protected when it is transferred internationally, and they are typically used in situations where data needs to be shared for specific purposes, such as law enforcement or research.
When should we use the Addendum?
The Addendum is designed to add to the new EU SCCs where UK and EU personal data is transferred to a third country.
The Addendum makes several amendments to the new EU Standard Contractual Clauses (SCCs) so that the proposed data transfer works from a UK GDPR perspective (i.e. providing for the ICO as the relevant supervisory authority and the UK governing law).
Who does this change affect?
The change affects businesses and organisations that transfer personal data outside the UK or EEA, referring to when work is outsourced to companies and contractors based outside the UK or EEA, including:
- Storage
- Subcontracting services
- Marketing
The relevant safeguard for international transfer is the use of standard data protection clauses and a legally binding and enforceable instrument between public authorities or bodies, as opposed to transfers to countries with adequacy decisions in place or binding corporate rules.
For example, if you use a company based in South Africa to outsource your services, and the employees of that company have access to your customers’ or clients’ personal data, such as email addresses, names, and account information, you’ll need to ensure you have the rights documents in place.
This also applies if, for example, your business uses an IT support service contractor based in India or a US-based marketing software tool, where these services or contractors may access personal information.
In these types of scenarios, you'll need to ensure the correct type of document(s) and clauses for the international transfer of personal data are in place.
When does the change become effective?
From 22 September 2022, businesses that transfer personal data outside of the UK based on contractual safeguards should use either:
- The IDTA, along with the relevant Data Processing or Data Sharing Agreement, or
- The Addendum, along with the European Union approved Standard Contractual Clauses and the relevant Data Processing or Data Sharing Agreement
The exception is where there is an existing agreement in place, in the form of the previous version(s) of Standard Contractual Clauses, along with the relevant Data Processing or Data Sharing Agreement.
In this case, such contracts can continue to be in force until March 2024, which will need to be updated to IDTAs and data protection current laws.
Get legal assistance from LawBite
GDPR is a documents heavy area of business law, and the international transfers element isn’t an exception.
Both the new IDTA and the Addendum template documents may be challenging to navigate and amend as necessary if you don’t have specific knowledge and experience in this area of law.
Our data protection specialists at LawBite will be happy to help you navigate your obligations and draft specific documents to record your decisions and processes. To find out how we can help your business, book a free 15 minute consultation or call us on 020 3808 8314.