How can we help?


21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

Some countries have an ‘adequacy decision’ which means they have been judged as having adequate protections in place and so you can transfer personal data to these countries without needing any further specific approval.  A normal, commercial data sharing agreement will be enough in those circumstances.

However, in the absence of an adequacy decision, adequate safeguards will need to be put in place before you can transfer data (unless you are able to rely on one of the limited exemptions in the UK GDPR and Data Protection Act 2018).

One of the most common safeguards used are standard contractual clauses.

Standard Contractual Terms

Prior to 2021, the EU had its own set of standard contractual clauses for data transfers which companies in the UK often used (‘Old EU Clauses’).   It updated these in 2021 (‘New EU Clauses’).

The ICO has since developed two sets of standard contractual clauses for the UK.  Which one is appropriate to use depends on whether data is being transferred from the UK only or the UK and EEA.

UK Only – International Data Transfer Agreement

The ICO’s International Data Transfer Agreement (‘IDTA’) is most appropriate for data transfer agreements concluded after 21 March 2022 where data is being transferred from the UK only to another country.

For older agreements based on the Old EU Clauses, there were some transitional provisions allowing organisations time to move onto the new IDTA model, but these expire on 21 March 2024 and, as such, all organisations need to ensure that they are on the new IDTA model from 21 March 2024.

The ICO has since developed two sets of standard contractual clauses for the UK.

UK and EEA – New EU Clauses and Addendum

Organisations who transfer data from the UK and EEA to other countries will usually need to use the second set of standard contractual clauses produced by the ICO known as the International Data Transfer Agreement Addendum (‘Addendum’).  This Addendum is used alongside the New EU Clauses.

Companies should have already moved onto the New EU Clauses and Addendum model as all transitional provisions expired in 2022.

Steps you should take now!

Companies need to review their data transfer practices and agreements to understand what international transfers occur and the agreements that govern these.  They need to understand if data is being transferred from the UK only, or from the UK and EEA, and whether any of their agreements are based on the Old EU Clauses. They should also check if any of their agreements are based solely on the New EU Clauses, without the Addendum.

Any which are now out of date will need to be transferred onto the new models to ensure they remain valid and legally compliant.  If not, the organisation runs the risk of not having adequate safeguards in place for the data transfer in breach of the legislation.  Alternatively, organisations will need to consider if an alternative safeguard should be used, such as binding corporate rules or whether it is able to rely on any of the exemptions in the legislation.

Companies should also carry out transfer risk assessments before relying on the standard contractual clauses (or other safeguards) and so this will also need to be considered as part of the updating.

Our data privacy lawyers are on hand to advise you through this process and to help draft up new agreements as needed.

FAQs – International Transfers

This refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity located in another country, i.e. such data being accessible from overseas.

The UK GDPR contains rules on the transfer of personal data to outside the UK, where these rules apply to all transfers, no matter the size of the transfer or how often you carry them out.

Yes, you can provided you have the correct arrangements in place. Transfers from the UK to the EEA do not require any new arrangements, however transfers (known as ‘restricted transfers’) to ‘third countries’, will require additional safeguards.

This will depend on a case-by-case basis, however before making a restricted transfer, you should consider if the personal data needs to be sent, and whether any personal data could be anonymised so that it is not possible to identify individuals.

Broadly, the following questions should be considered under the UK GDPR before a restricted transfer is made:

  • Is the restricted transfer covered by ‘adequacy regulations’?
  • Is the restricted transfer covered by appropriate safeguards?
  • Is the restricted transfer covered by an exception?

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 24 April 2024
  • Privacy and Data Protection

Personal Data FAQs

Personal data refers to any information related to an identifiable living individual. 

  • 22 April 2024
  • Privacy and Data Protection

Think tank study finds that up to 8 million jobs may be at risk from AI

Injuring someone’s feelings through acts of discrimination, harassment or victimisation can be a costly business.

  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.