Key New Documentation for Non-EEA Personal Data Transfers

UK data protection legislation, consisting chiefly of the UK GDPR and the Data Protection Act 2018, requires that all data processing carried out by a data processor on behalf of a data controller is covered by a written contract.

The UK GDPR also restricts transfers of personal data to non-UK countries and international organisations. If the transfer in question amounts to a “restricted transfer”, it must be covered by what are known as “appropriate safeguards”. These appropriate safeguards are designed to ensure that personal data and the rights of the relevant individuals remain protected when it leaves the jurisdiction of UK data protection law.

Some restricted transfers are covered by “adequacy regulations”. If a country is covered by adequacy regulations, this essentially means that the data protection laws of the country in question have been assessed as “adequate” in terms of their protection for personal data and the rights and freedoms of individual data subjects.

If there are no adequacy regulations in place, other appropriate safeguards are available including:

• A legally binding and enforceable instrument between public authorities or bodies
• Binding corporate rules (BCRs)
• Standard Contractual Clauses (SCCs)
• An approved code of conduct (approved by the ICO)
• Certification under an approved certification scheme (approved by the ICO)
• Contractual clauses authorised by the ICO

There are also certain exceptions which may apply.

This newsletter focuses on Standard Contractual Clauses. Until recently, the SCCs for use in the UK were still the old EU SCCs that were in effect when the UK left the European Union. Since then, the EU Commission has issued new SCCs, but they had no effect in the UK. Now, the Information Commissioner’s Office has issued the International Data Transfer Agreement – essentially, the UK’s own in-house SCCs. (Other options are also available, but beyond the focus of this newsletter).

The International Data Transfer Agreement or “IDTA” is designed to be used alongside another agreement such as an Article 28(3) UK GDPR compliant data processing agreement and is designed to protect personal data transferred beyond the EEA and the rights and freedoms of affected individual data subjects.

The IDTA was introduced by the ICO in March 2022. Until 21 September 2022, it remains permissible to enter into new contracts which incorporate the old EU SCCs, which then remain valid until 21 March 2024. Any new contracts entered into after 21 September must use the new IDTA or the current EU SCCs with the ICO’s new International Data Transfer Addendum. In any case, the new documents can be used now, however ICO guidance is still a work in progress at this time.

New IDTA Template and Updated Data Processing Agreement (UK to Non-EEA)

A new template version of the ICO’s International Data Transfer Agreement has been added to the portfolio of UK GDPR & Data Protection documents. This template is a direct copy of the ICO’s own document and will be kept up-to-date in line with any amendments the ICO makes to their own. In this context, it is designed to be used in combination with the Data Processing Agreement (UK to Non-EEA), which has been updated with reference to the new IDTA. Once completed, a copy of the IDTA should be attached to the completed Data Processing Agreement as a schedule in the space provided.

The IDTA template is designed for use “as is” and, unless expressly indicated, should not be edited. Tables are used at the start of the document for users to add specific details and make contextual selections. The mandatory clauses in the main body of the document refer back to the choices made in the tables for the appropriate interpretation, context, and scope.

The ICO has yet to publish guidance on the use of the IDTA, and it is therefore strongly recommended that independent professional advice is sought before using the IDTA. Additional detail will be added to the information accompanying the document on this site when it becomes available from the ICO.