Any links to online stores should be assumed to be affiliates. The company or PR agency provides all or most review samples. They have no control over my content, and I provide my honest opinion.
New UK standard contractual clauses to enable the transfer of personal data from the UK internationally come into effect on 21st March 2022.
The UK GDPR regulates the transfer of personal data to countries outside of the UK or to international organisations unless the receiver of the personal data is located within a third country, territory or international organisation covered by a UK “adequacy decision” (where the UK considers the legal framework in that country, territory or international organisation provides adequate protection for individuals’ rights and freedoms for their personal data).
Before personal data is sent to a country that isn’t covered by an adequacy decision (for example, the United States), appropriate safeguards must be put in place before the transfer of personal data is made.
An appropriate safeguard would be before the transfer of personal data is made, the person making the transfer and the recipient entering a contract that incorporates standard data protection clauses recognised or issued under the UK GDPR (known as standard contractual clauses, SCCs or model clauses) before the transferring of data can be made.
Why have updates been made?
Following Brexit, organisations in the UK that wish to transfer personal data from the UK must use the old EU standard contract clauses (the Old EU SCCs).
However, recent developments in data protection law throughout Europe, as well as the outcome of the Schrems II case, have prompted the European Commission to create a new set of standard contract clauses in 2021 (the New EU SCCs) for use by businesses wanting to transfer personal data from the EU and therefore the Information Commissioner’s Office (ICO) has been considering its own approach to data protection to address such issues.
New UK SCC’s
The ICO released new data protection rules on 28th January 2022. This was part of its International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (UK Addendum). The IDTA and the UK Addendum form part of the UK’s process of developing its own data protection regime after Brexit.
The IDTA and UK Addendum include new data protection provisions for businesses making restricted transfers under the UK GDPR and the Data Protection Act 2018, which will come into force on 28th March 2022 (as long as Parliament does not object).
However, transfer arrangements in the UK that use the Old EU SCCs ended before 21st September 2022 will continue to be valid until 21st March 2024 (unless the underlying processing operations change before such date).
Therefore, after 21st September 2022:
- for new arrangements – organisations must use the IDTA or the UK Addendum (as appropriate); and
- for existing arrangements – the Old EU SCCs must be replaced by 21st March 2024.
When should the UK Addendum be used?
The UK Addendum is to be used where the international transfers of personal data are subject to the EU GDPR and the UK GDPR. In this instance, the UK Addendum contains both terms to allow for the transfer of personal data from the UK and the New EU SCCs to allow for the transfer of personal data from the EU.
When should the IDTA be used?
The IDTA is an alternative to the UK Addendum and is intended to be used by UK-based organisations and only process personal data to which the UK GDPR applies.
Next steps
Organisations making transfers of personal data from either the UK and/or the EU should consider the following steps:
- conduct a review of the organisation’s contractual commitments and arrangements to identify:
- any new agreements where the use of the IDTA or the UK Addendum are required; or
- any existing agreements which require updating prior to 21st March 2024; and
- before making a transfer of any personal data, conduct a transfer risk assessment to identify whether supplementary measures are required before any transfer is made, i.e., whether the IDTA or UK Addendum are required within the appropriate agreements.
If you have any more questions or would like any more information regarding these changes, you can contact the Corporate Team at Myerson Solicitors.
I am James, a UK-based tech enthusiast and the Editor and Owner of Mighty Gadget, which I’ve proudly run since 2007. Passionate about all things technology, my expertise spans from computers and networking to mobile, wearables, and smart home devices.
As a fitness fanatic who loves running and cycling, I also have a keen interest in fitness-related technology, and I take every opportunity to cover this niche on my blog. My diverse interests allow me to bring a unique perspective to tech blogging, merging lifestyle, fitness, and the latest tech trends.
In my academic pursuits, I earned a BSc in Information Systems Design from UCLAN, before advancing my learning with a Master’s Degree in Computing. This advanced study also included Cisco CCNA accreditation, further demonstrating my commitment to understanding and staying ahead of the technology curve.
I’m proud to share that Vuelio has consistently ranked Mighty Gadget as one of the top technology blogs in the UK. With my dedication to technology and drive to share my insights, I aim to continue providing my readers with engaging and informative content.