Search

How can we help?

Icon

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

Some countries have an ‘adequacy decision’ which means they have been judged as having adequate protections in place and so you can transfer personal data to these countries without needing any further specific approval.  A normal, commercial data sharing agreement will be enough in those circumstances.

However, in the absence of an adequacy decision, adequate safeguards will need to be put in place before you can transfer data (unless you are able to rely on one of the limited exemptions in the UK GDPR and Data Protection Act 2018).

One of the most common safeguards used are standard contractual clauses.

Standard Contractual Terms

Prior to 2021, the EU had its own set of standard contractual clauses for data transfers which companies in the UK often used (‘Old EU Clauses’).   It updated these in 2021 (‘New EU Clauses’).

The ICO has since developed two sets of standard contractual clauses for the UK.  Which one is appropriate to use depends on whether data is being transferred from the UK only or the UK and EEA.

UK Only – International Data Transfer Agreement

The ICO’s International Data Transfer Agreement (‘IDTA’) is most appropriate for data transfer agreements concluded after 21 March 2022 where data is being transferred from the UK only to another country.

For older agreements based on the Old EU Clauses, there were some transitional provisions allowing organisations time to move onto the new IDTA model, but these expire on 21 March 2024 and, as such, all organisations need to ensure that they are on the new IDTA model from 21 March 2024.

The ICO has since developed two sets of standard contractual clauses for the UK.

UK and EEA – New EU Clauses and Addendum

Organisations who transfer data from the UK and EEA to other countries will usually need to use the second set of standard contractual clauses produced by the ICO known as the International Data Transfer Agreement Addendum (‘Addendum’).  This Addendum is used alongside the New EU Clauses.

Companies should have already moved onto the New EU Clauses and Addendum model as all transitional provisions expired in 2022.

Steps you should take now!

Companies need to review their data transfer practices and agreements to understand what international transfers occur and the agreements that govern these.  They need to understand if data is being transferred from the UK only, or from the UK and EEA, and whether any of their agreements are based on the Old EU Clauses. They should also check if any of their agreements are based solely on the New EU Clauses, without the Addendum.

Any which are now out of date will need to be transferred onto the new models to ensure they remain valid and legally compliant.  If not, the organisation runs the risk of not having adequate safeguards in place for the data transfer in breach of the legislation.  Alternatively, organisations will need to consider if an alternative safeguard should be used, such as binding corporate rules or whether it is able to rely on any of the exemptions in the legislation.

Companies should also carry out transfer risk assessments before relying on the standard contractual clauses (or other safeguards) and so this will also need to be considered as part of the updating.

Our data privacy lawyers are on hand to advise you through this process and to help draft up new agreements as needed.

FAQs – International Transfers

This refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity located in another country, i.e. such data being accessible from overseas.

The UK GDPR contains rules on the transfer of personal data to outside the UK, where these rules apply to all transfers, no matter the size of the transfer or how often you carry them out.

Yes, you can provided you have the correct arrangements in place. Transfers from the UK to the EEA do not require any new arrangements, however transfers (known as ‘restricted transfers’) to ‘third countries’, will require additional safeguards.

This will depend on a case-by-case basis, however before making a restricted transfer, you should consider if the personal data needs to be sent, and whether any personal data could be anonymised so that it is not possible to identify individuals.

Broadly, the following questions should be considered under the UK GDPR before a restricted transfer is made:

  • Is the restricted transfer covered by ‘adequacy regulations’?
  • Is the restricted transfer covered by appropriate safeguards?
  • Is the restricted transfer covered by an exception?

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 06 February 2025
  • Privacy and Data Protection

Cookies and Consent: the ICO’s Cookie Review

In the digital age, cookies play a crucial role in how websites operate and interact with users.

art
  • 24 January 2025
  • Privacy and Data Protection

UK Data Protection: A look back at 2024 and what to expect in 2025

On 15 January 2025, Louise Keenan and Shauna Jones hosted our webinar “UK Data Protection: what happened in 2024 and what’s in store for 2025.” Our webinar is available for you to watch, but in this article, we will provide a brief summary of what was discussed.

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 06 January 2025
  • Privacy and Data Protection

WhatsApp in the Workplace

This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.