EU and UK-based organisations regularly need to The movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. Information which relates to an identified or identifiable natural person. to different countries for a variety of reasons – project collaborations, partnerships, service providers etc.
With the increasing complexity of global privacy legislation, it is vital for organisations to have the appropriate When transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... in place for these transfers. This ensures compliance with data protection laws, mitigates the risk of a data breach, and helps to maintain the trust of customers, stakeholders, and employees.
There are several safeguarding options, depending on the nature of the data, where the individuals are located, and where the data is being sent.
In this blog, we take a look at the EU Standard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (EU SCCs), the UK An additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content., and the UK International Data Transfer Agreement (The International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs)), explaining the suitability of each mechanism for EU and UK personal data transfers and the factors to consider.
EU SCCs are one of the most commonly used data transfer mechanisms. They are popular because they have pre-approval by the One of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. and a level of assurance for compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
The European Commission published new EU SCCs on 4 June 2021, allowing organisations to use these for data transfers from the European Economic Area (EEA) to Countries that are not part of the European Economic Area (EEA). from 27 June 2021.
As the UK is no longer part of the EEA, UK organisations cannot rely on the new EU SCCs. Only the old EU SCCs were valid in the UK until the The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (The United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) introduced their own solution in the form of an Addendum, which came into force on 21 March 2022.
The UK Addendum allows organisations to use the new EU SCCs for UK personal data transfers, ensuring compliance with both EU and UK data protection laws. A helpful solution for organisations with locations across the EU and the UK.
The old EU SCCs expired on 27 December 2022. Any existing UK contracts have until 21 March 2024 to transition to the new EU SCCs with UK Addendum or the IDTA.
The International Data Transfer Agreement (IDTA) was developed by the UK’s Information Commissioner’s Office (ICO) and has been in force since 21 March 2022. It is a legal framework for transferring personal data from the UK to countries outside the European Economic Area (EEA) not covered by adequacy decisions (these are known as UK Restricted Transfers).
The IDTA is an alternative to the EU SCCs with the UK Addendum but is only suitable for transferring personal data from the UK.
The IDTA sets out contractual obligations for both the data exporter (in the UK) and the data importer (in the A country that is not part of the European Economic Area (EEA).) to protect the privacy and rights of individuals whose data is being transferred. It includes clauses on data handling, processing, security measures, and the rights of individuals.
There are fundamental questions you should ask when choosing the most appropriate data transfer mechanism for your organisation. These include understanding the type of data being transferred, the frequency and volumes, and the countries involved.
Here’s a helpful list of questions to consider and an overview of which mechanism to use for EU or UK data:
We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind.
If you’d like to discuss how we can help your company, please contact us by filling in the form below.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible