You are using an outdated browser. Please upgrade your browser to improve your experience
Contact one of our experts below to find out how we can help you. We’ll aim to respond same working day.
Contact one of our experts below to find out how we can help you. We’ll aim to respond same working day.
Contact one of our experts below to find out how we can help you. We’ll aim to respond same working day.
Contact one of our experts below to find out how we can help you. We’ll aim to respond same working day.
Expertise and advice so you're always one step ahead - sign up to receive the latest legal updates, events & seminar news
This is the case if the contract involves the transfer of data from the UK to a third country whose data protection regime has not been deemed ‘adequate’ by the UK Information Commissioner (known as a ‘restricted transfer’).
The International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum (UK Addendum) came into force in the UK on 21 March 2022. Both can be used as a transfer mechanism to comply with the requirement under Article 46 of the UK General Data Protection Regulation (UK GDPR) when making restricted transfers.
Under Article 46, organisations making restricted transfers of personal data out of the UK must provide appropriate safeguards for personal data to ensure that data subjects are given the same level of protection as they would have been under the UK GDPR.
The IDTA and the UK Addendum replace the previous Standard Contractual Clauses for international transfers (SCCs), mainly reflecting the judgment of the European Court of Justice commonly known as “Schrems II”. Although the UK has left the EU, the decision in “Schrems II” came ahead of Brexit and the UK is still bound by it.
The requirement to provide appropriate safeguards when making a restricted transfer also applies under the EU GDPR for personal data transfers from the EU/EEA to any country without an adequacy decision from the EU Commission.
If you would like to know more about the new EU Standard Contractual Clauses (SCCs) adopted following the decision in “Schrems II”, please see our summary of the key features to look out for and steps to take here.
The UK was the subject of an EU adequacy decision in 2021, so the new SCCs do not need to be used for data transfers from the EU/EEA to the UK. This may be reviewed if UK data protection laws move away from the EU GDPR, which they currently mirror. However, the incoming UK government under Liz Truss signalled last week that the second reading in parliament of the controversial Data Protection and Digital Information Bill has been postponed, and that the legislation would be considered further.
As for organisations making restricted transfers out of the UK, they can choose whether to use the IDTA or the UK Addendum in their respective contracts. The main difference between the two is that the IDTA is a separate agreement to be signed by the parties whereas the UK Addendum is meant to be used together with the new SCCs, varying them ever so slightly to fit the UK GDPR narrative. The IDTA is therefore appropriate in transactions where the use of the new SCCs is not necessary. The UK Addendum, on the other hand, would be valuable in multinational transactions where both the UK and the EU GDPR regime must be followed.
What should you do?
According to the transitional provisions in the legislation, organisations will need to incorporate either the IDTA or the UK Addendum to all contracts concluded on or after 22 September 2022.
Contracts concluded on or before 21 September 2022 may still use the old SCCs, which will provide appropriate safeguards for the purpose of Article 46 of the UK GDPR up until 21 March 2024.
We would therefore suggest considering including either the IDTA or the UK Addendum to all newly-formed contracts to avoid future need for any changes. Organisations should also identify any contracts already in place that will need to be updated.
How can we help?
If you’d like any guidance on this matter, please get in touch. We can help by:
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact our dedicated team.
The ICO (Information Commissioner’s Office) has released its annual report, which has revealed an “unprecedented” year. It received 41,661 data protection complaints in 2018/19, up from 21,019 in 2017/18. Big…
| Cookie | Duration | Description |
|---|---|---|
| __cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
| mgref | 1 year | This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes. |
| Cookie | Duration | Description |
|---|---|---|
| _ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
| _gat | 1 minute | This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites. |
| _gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
| G | 1 year | Cookie used to facilitate the translation into the preferred language of the visitor. |
| vuid | 2 years | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
