The Information Commissioner’s Office has published the final form of its new International Data Transfer Agreement (IDTA), together with a new addendum to the EU’s standard contractual clauses (Addendum), which have been laid before Parliament under section 119A of the Data Protection Act 2018.

This came into force on 21 March 2022.

Transfer of data outside of the UK

The UK General Data Protection Regulation (GDPR) primarily applies to controllers and processors of personal data located in the UK. Individuals risk losing the protection of the UK data protection laws if their personal data is transferred outside of the UK. 

Therefore, the UK GDPR restricts transfers of personal data to a separate organisation located outside the UK, unless the individual’s data protection rights are protected in another way, or an exception applies. Any transfer of data to a separate organisation outside of the UK is referred to as a “restricted transfer”. 

Who will be able to use the IDTA or the Addendum as a transfer tool?

An Exporter - a person who sends data which is a restricted transfer, will be able to use the IDTA or the Addendum as a transfer tool. This is to comply with article 46 UK GDPR (the requirement to ensure transfers of data are subject to appropriate safeguards) for international transfers of data. 

At the present time, transfers of data to and from the EU are covered by an “adequacy decision”, which permits the transfer of such data without the need for a separate agreement, but these decisions are kept under review and may change. 

The IDTA and Addendum replace the current standard contractual clauses for international transfers and from 21 March 2022 are of use to organisations transferring personal data outside of the UK, where the data controller is not able to rely on an adequacy decision. The IDTA also expressly permits transfers to importers (a person who receives data) that are subject to the UK GDPR. 

Any organisation that has already entered into the UK’s standard contractual clauses will be able to use them until 21 March 2024, provided that the data processing operations do not change, and the personal data remains subject to appropriate safeguards. 

The Addendum tailors the EU’s standard contractual clauses so they work for UK data transfers and will most likely be used for transfers outside the European Economic Area involving EU personal data. Some of the requirements of the UK GDPR are more comprehensive than the EU GDPR standard contractual requirements, so organisations should take steps to ensure they know what is required under the IDTA and the Addendum.

The IDTA is available on the ICO’s website and is formed by ticking the appropriate tick boxes to a series of questions. Guidance on the individual clauses is expected, but not yet available, to assist with preparation and completion of the agreement.

We assist businesses with their data protection requirements. Contact Tracey Dickens