New UK approved standard contractual clauses for transfers of personal data outside the UK [have been issued] [are in force].
Businesses transferring personal data outside the UK should be aware of these changes.
The UK Data Protection Act (which incorporates the UK GDPR) applies to transfers of personal data to countries outside the UK.
The UK GDPR restricts transfers of personal data outside the UK to another country or an international organisation unless individuals’ rights regarding the data are adequately protected[1]. For the transfer to be permitted it must meet one of several permitted transfer conditions, including:
- the territory is covered by an adequacy regulation.
- binding corporate rules are in place; or
- the transfer is subject to standard UK-approved contractual clauses.
Territories currently covered by UK adequacy regulations include the EEA, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. Japan and Canada are subject to partial adequacy findings.
Previously businesses transferring personal data outside the UK could use the EU standard contractual clauses that were approved by the European Commission before the UK left the EU[2]. The European Commission issued new standard contractual clauses in June 2021, however these were not valid for restricted transfers under the UK GDPR.
After a consultation, the Information Commissioner’s Office issued new UK documents for restricted transfers of personal data. The documents, comprise an international data transfer agreement (IDTA) and an international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum). In March 2022 the IDTA and Addendum were approved by UK Parliament. They replace the old EU standard contractual clauses and should be used for transfers of personal data outside the UK.
Can I continue to use the old EU standard contractual clauses for new data transfers?
Businesses may continue to enter into new data transfer contracts using the old EU standard contractual clauses until 21 September 2022[3]. After that date, businesses who wish to transfer data on the basis of UK approved contractual clauses, must use the IDTA or Addendum.
I have been transferring data under the old EU standard contractual clauses – do I need to ask my data processor to sign up the new UK clauses?
Businesses who are already transferring personal data on the basis of the old EU standard contractual clauses may continue to rely on the EU standard contractual clauses until 21 March 2024. After this date, they must either enter into a contract on the basis of the new UK IDTA or Addendum or must find another way to make the restricted transfer under the UK GDPR.
The ICO has said that it is producing additional support and guidance on these new documents which will be published soon.
Links to the new UK IDTA and Addendum and the ICO’s guidance on international data transfers can be found here.
How Moore Barlow can help
If your business transfers personal data outside the UK, and you would like advice regarding the steps you should be taking to comply with data protection laws, please do get in touch.
References
[1] UK GDPR Article 46(1)
[2] Schedule 21, Part 3 Paragraph 7 of the Data Protection Act has transitional provisions allowing continued use by data exporters of standard data protection clauses issued under the EU Data Protection Directive 95/46/EC. In particular, the standard data protection clauses issued under European Commission Decisions 2001/497/EC and 2010/87/EU
[3] See International Data Transfer Agreements – Transitional Provisions in force 21 March 2022 https://ico.org.uk/media/for-organisations/documents/4019534/scc-transitional-provisions.pdf
