If your business transfers personal data out of the UK, you must ensure that your transfers comply with UK international data transfer laws.
Here, we discuss the UK’s International Data Transfer Agreement (IDTA) and UK addendum and how these documents can serve as appropriate safeguards for international data transfers.
Our expert data protection solicitors can provide advice tailored to your situation to ensure you comply with the IDTA.
Jump to:
What are the UK standard contractual clauses (UK SCCs)?
The UK’s IDTA, an addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum), are appropriate safeguards for international data transfers.
These are essentially the UK standard contractual clauses (UK SCCs), the UK version of the EU standard contractual clauses (EU SCCs).
The IDTA is a legal contract published by the UK ICO to safeguard personal data sent outside the UK to certain third countries. It is designed to be a user-friendly and straightforward document for organisations to use for international data transfers.
In contrast, the EU SCCs are contracts produced by the European Commission to safeguard personal data sent outside the EU to certain third countries. They look different from the UK IDTA—they adopt a modular format and include separate provisions for various data-sharing scenarios.
UK businesses have a choice to use either:
- The IDTA as a standalone document or
- The EU SCCs, with The UK Addendum, are documents that modify the EU SCCs to comply with UK data protection law. Organisations using the EU SCCs must adopt the UK Addendum to comply with UK data protection laws.
What is a restricted transfer?
Chapter V of the UK GDPR covers this transfer. The UK GDPR restricts transfers of personal data outside the UK unless a provision permits the restricted transfer that complies with the UK GDPR.
Businesses that export from the UK can use the IDTA or the EU SCCs with the UK Addendum as a transfer mechanism when making a restricted transfer.
A restricted transfer may occur if the data importer is in a third country covered by the UK adequacy regulations or adequate safeguards, such as the UK SCCs.
The Information Commissioner’s Office (ICO) provides a checklist to assess restricted transfers.
You cannot make the data transfer if you reach the end of the checklist without finding a provision permitting the restricted transfer.
What is a third country?
This is a country or territory outside the UK. A non-adequate third country lacks an adequacy decision. An adequacy decision means that the government has been assessed to provide adequate protection for personal data, and you may send personal data there without putting additional measures in place.
The ICO’s guide to international transfers reviews and updates the countries deemed to be adequate, so you should check this over time for the most up-to-date list.
Which approach should you adopt – the IDTA, EU SCCs and UK Addendum?
The IDTA and the UK Addendum are alternative ways to protect UK personal data during restricted transfers.
Your organisation's approach depends on your operations. For example, international organisations operating across the UK and EEA jurisdictions will likely prefer the EU SCCs plus the UK Addendum rather than adopting the IDTA. The UK Addendum replaces EU-specific terms with UK-specific language. Organisations that have already implemented the EU SCCs for data transfers may find adopting the UK Addendum a quicker and simpler fix.
The IDTA, however, is a standalone agreement (unlike the EU modular approach) that a controller or a processor can use. Like the EU SCCs, it places contractual obligations on data exporters and importers, which also considers Schrems II's decision.
When considering the choice between the IDTA or EU SCCs and UK Addendum, consider factors such as:
- Whether your business transfers personal data from the UK only or from the EU
- How familiar are you with the EU SCCs? If you have spent considerable time putting in place EU SCCs, the UK Addendum and EU SCCs may be a viable option.
This is a complex topic; legal advice from a specialist data protection lawyer on which documentation suits your business is advisable. A data protection lawyer can consider your business locations and their data flows and can advise on the most appropriate mechanism to adapt for your purposes.
This is a complex topic and legal advice from a specialist data protection lawyer on which documentation is suitable for your business is advisable. A data protection lawyer can consider your business locations, and its data flows, and can advise on the most suitable mechanism to adopt for your purposes.
Do I still need to carry out a transfer risk assessment (TRA)?
In short, you must carry out a TRA if you are making a restricted transfer and wish to rely on one of Article 46 transfer tools.
Key steps for compliant international data transfers
Consider the following next steps as a business transferring personal data out of the UK:
- Adopt an approach aligned with your business operations when implementing an IDTA or UK Addendum to the EU SCCs.
- Scope all contracts where using the IDTA or the UK Addendum is required.
- Conduct a TRA to identify whether supplementary measures are required within the appropriate agreements.
We understand that conducting transfer risk assessments or deciding whether to use the IDTA or the UK Addendum are complex tasks. Our specialist data protection lawyers are on hand to assist you in identifying any restricted transfers and ensure that you have adequate safeguards to ensure compliance with the UK GDPR regime.
