A newly issued mechanism for cross-border transfers of personal data governed by the UK GDPR has entered into force. The new mechanism, created by the UK Information Commissioner’s Office (ICO), offers two alternative solutions. The first is an “International Data Transfer Agreement” (IDTA), which constitutes a standalone agreement that follows the blueprint of the EU Standard Contractual Clauses (SCCs). The second is the “UK Addendum”, which is meant to be appended to the EU SCCs to legalize UK data transfers.
Commencing March 21st, both the IDTA and the UK Addendum can be used as appropriate safeguards for transfers of personal data from the UK to countries that do not provide an adequate level of data protection. The need for the IDTA or the UK Addendum stems from the Brexit that was concluded on the last day of 2020. The Brexit marked the UK’s withdrawal from the European Union, as well as from the jurisdiction of the EU GDPR and the EU Commission’s Standard Contractual Clauses.
While the EU SCCs adopted a modular format that allows the data importer and data exporter to choose the contractual module that is appropriate to their relations regarding the data transfer, the IDTA introduces a simpler format of a single agreement adaptable to various data transfer scenarios.
Agreements regarding UK data transfers concluded on or before September 21st, 2022, based on the old EU SCCs (pre-Schrems II decision) will remain in force until March 21st, 2024, provided that the processing operations described in them do not change. Any agreements concluded thereafter, must be based on either the IDTA or the UK Addendum.
CLICK HERE to read the UK International Data Transfer Agreement.
CLICK HERE to read the UK Addendum to the EU Commission Standard Contractual Clauses.