Transferring personal data outside of the UK under UK GDPR - Image by Pete Linforth from PixabayThe UK GDPR restricts the transfer of personal data to countries or organisations outside of the UK unless certain standards are satisfied. One of which is that the receiver of the personal data is located in a country, place or organisation covered by a UK “adequacy decision”. This means that the UK considers the legal framework of that country, place or international organisation as providing adequate protection for individuals’ personal data.

Other safeguards must be put in place before personal data is transferred to a country not covered by an adequacy decision (for example, the United States).

One solution is for the person making the transfer and the recipient receiving the personal data to enter into a contract that incorporates standard data protection clauses recognised or issued under the UK GDPR. These are known as standard contractual clauses, SCCs or model clauses. It should occur before the transfer of personal data is made.

Why have the ICO made these updates?

The EU restricts the transfer of personal data outside of the European Economic Area (EEA) and requires the use of standard contractual clauses (the Old EU SCCs).

Following Brexit, the UK maintained in place many existing EU laws and regulations to minimise disruption. Therefore, there was little divergence in data protection laws between the EU and the UK following the UK’s departure from the EU. Organisations wishing to transfer personal data outside of the UK were therefore required to also use the Old EU SCCs.

However, recent developments in data protection law throughout Europe have prompted the European Commission to create a new set of standard contractual clauses in 2021 (the New EU SCCs). Organisations wishing to transfer personal data from the EEA should now use the New EU SCCs.

Therefore, the UK’s regulatory body (the Information Commissioner’s Office (ICO)) has been prompted to consider the UK’s approach to international personal data transfers.

New UK SCC’s

The ICO released new data protection rules on 28th January 2022. These are part of its International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (UK Addendum). The IDTA and the UK Addendum form part of the UK’s development of its own data protection regime following Brexit.

The IDTA and UK Addendum include new data protection provisions for organisations transferring personal data outside of the UK under the UK GDPR and the Data Protection Act 2018.

Transition Period

The IDTA and the UK Addendum came into force on 21st March 2022. However, a grace period to implement the IDTA and the UK Addendum has been granted.

Transfer arrangements in the UK that use the Old EU SCCs concluded before 21st September 2022 will continue to be valid until 21st March 2024 (unless the underlying processing operations change before such date).

Also – until 21st September 2022, organisations can continue to use the Old EU SCCs to facilitate transfers of personal data. However, it may be more effective to implement the IDTA or the UK Addendum for new arrangements now to ensure future compliance.

Therefore, after 21st September 2022:

  • For new arrangements: organisations must use the IDTA or the UK Addendum (as appropriate)
  • For existing arrangements: the Old EU SCCs must be replaced by 21st March 2024

When should the UK Addendum be used?

The UK Addendum is to be used where the international transfers of personal data are subject to both the EU GDPR and the UK GDPR.

In this instance, the UK Addendum contains terms to allow for the transfer of personal data from the UK and the New EU SCCs to allow for the transfer of personal data from the EEA.

When should the IDTA be used?

The IDTA is an alternative to the UK Addendum.

It is intended to be used by UK-based organisations that only process personal data to which the UK GDPR applies.

The ICO is due to publish additional guidance on how and when to use the IDTA and the UK Addendum. This will include clause by clause guidance on the terms of the IDTA and the UK Addendum, and how to conduct data transfer risk assessments.

The next steps

Before transferring personal data from either the UK or the EU, organisations should consider the following steps:

  • Conduct a review of existing contracts and arrangements. This will help identify any existing agreements which require updating prior to 21st March 2024.
  • Closely monitor any new agreements where personal data is required to be transferred outside of the UK or the EU. This will help identify any new agreements where the use of the IDTA or the UK Addendum are required.
  • Conduct a transfer risk assessment before transferring any personal data. This will help identify whether any supplementary measures are required. For example, whether the IDTA or the UK Addendum are required within the appropriate agreements.

This article was written by Joanna Colgan, a Commercial Solicitor within the Corporate Commercial department of Myerson. Should you have any questions or want more information regarding these changes, you can contact the Commercial Team at Myerson Solicitors.

MyersonMyerson Solicitors are a trusted legal adviser in Manchester. With over 40 years of experience, the team has one of the largest Corporate and Commercial teams in the North West, acting for owner managed businesses, SME’s, start-up’s and individuals, locally and nationally.

At Myerson, you will discover a team of exceptionally talented lawyers who are passionate about making a genuine difference to their client’s businesses and lives.

Rated as a ‘Top Tier 1’ law firm by international directory The Legal 500, the team were also recognised as the ’Corporate and Commercial Business Team of the Year 2021’ at the Manchester Legal Awards.

By working with you and your business needs, Myerson aims to ensure the right team of sector experts are available to support your business every step of the way.  From complex, high-value, international transactions to advising on the bedrock activity involved with running a business, everything Myerson do is aimed at helping you achieve commercial success.

Naturally, they aim to protect you from disputes, so rest assured, should a situation become contentious, they have one of the largest and most respected commercial litigation teams ready to act on your behalf.

Read Myerson’s useful Top 10 Tips for Tech and Business Start-ups here.


Please enter your comment!
Please enter your name here