bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

International Transfers of Personal Data

28 November 2022

Organisations that share personal data across international borders and which are subject to UK GDPR, require to have arrangements in place to ensure protection of personal data where no adequacy framework is in place between the countries involved in the transfer.

For example, the UK and the EU have an adequacy arrangement in place and the UK and USA are currently involved in negotiations to put such an arrangement in place.

    Lynn Richmond

 Lynn Richmond
Partner

    Paul Motion

 Paul Motion
Partner

In the absence of such an arrangement, other measures must be put in place to ensure the protection of personal data. Prior to Brexit, that often entailed parties agreeing to the standard contractual clauses (SCCs) which had been approved by the EU Commission. After Brexit, the EU SCCs remained in use despite the fact the UK GDPR had largely replaced EU GDPR as the primary data protection legislation for most British business (although it is important to note that EU GDPR also still applies to UK businesses providing services in the EU or to EU citizens). 

Earlier this year, the Information Commissioner’s Office approved new contractual documents designed to replace the SCCs which were no longer appropriate where EU GDPR did not apply. Instead, an International Data Sharing Agreement (IDTA) or an International Data Sharing Addendum (Addendum) may be used where international transfers take place.

What is an IDTA?

The IDTA is a template agreement which can be used to satisfy the requirements for international transfer of personal data to take place. The IDTA can be used for the transfer of data from controller to controller and can also be used for transfer of data between controller and processor or between processor and sub-processor.

What isn’t an IDTA?

It should be noted, however, that the IDTA is not a processing agreement in terms of Article 28 of the UK GDPR. Article 28 of the UK GDPR requires controllers and processors to enter into a written contract setting out responsibilities and obligations in terms of data processing. The IDTA is not a substitute for that processing agreement and any processing agreement must still be used in conjunction with the IDTA.

When is an IDTA not required?

Transfers of data which take place solely within the UK do not require an IDTA but a written processing agreement between controllers and processors and between processors and sub-processors will still be required.

What is the difference between an IDTA and an Addendum?

While the IDTA and the Addendum achieve the same purpose, the Addendum is considerably shorter than the IDTA and allows businesses to rely on the 2021 EU SCCs. The Addendum effectively adapts the SCCs for UK use and is likely to appeal to businesses which are also subject to EU GDPR and which already use the SCCs in that context.

Transfer Risk Assessment

Where the IDTA or Addendum is to be used, a transfer risk assessment should also be carried out to ascertain whether any additional protections must be put in place prior to the transfer of data.

While existing agreements which use the old SCCs, will remain effective for the time being, any new international data sharing agreements must now incorporate the IDTA and all international data sharing agreements (including those where the old SCCs were put in place) must be replaced by the IDTA or Addendum by no later than March 2024.

The Deadline

Businesses can no longer use the SCCs for new data sharing agreements and must convert all existing data sharing agreements to the new IDTA or the Addendum by March 2024.

BTO’s Data Protection Team can guide you through these changes and assist with all of your data protection requirements. If you would like any further information, please contact us.

This note does not constitute legal advice and should not be construed as such. BTO Solicitors LLP accepts no liability or responsibility for any actions taken, or omissions, by any party based on the contents of this note.

Lynn Richmond, Partner and Certified Specialist in Cyber Security (Author of article): lyr@bto.co.uk / 0131 222 2934

Paul Motion, Partner & Solicitor Advocate, Accredited Specialist in Data Protection & Freedom of Information Law: prm@bto.co.uk / 0131 222 2932

Related Links

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO

Glasgow

  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803

Edinburgh

  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949

Sectors

Services