If your business transfers personal data out of the UK, you must ensure that your transfers comply with UK international data transfer laws.
This article explains the UK’s International Data Transfer Agreement (IDTA) and UK International Data Transfer Addendum (UK Addendum) for the EU Commission Standard Contractual Clauses (EU SCCs) and how these documents can serve as appropriate safeguards for international data transfers.
Our expert data protection solicitors can provide advice tailored to your situation to ensure you comply with the UK’s international data transfer requirements.
Jump to:
What is a restricted transfer?
First, it’s critical to understand if you’re carrying out a ‘restricted transfer’ - in which case you must comply with stringent legal rules.
Chapter V of the UK GDPR covers this transfer. The UK GDPR restricts transfers of personal data outside the UK unless a legally valid mechanism permits the restricted transfer that complies with the UK GDPR.
Businesses that export personal data from the UK can use the IDTA or the EU SCCs with the UK Addendum as a transfer mechanism when making a restricted transfer - as we cover further below.
A restricted transfer may occur if the data importer is in a third country covered by the UK adequacy regulations or adequate safeguards, such as the UK IDTA.
If the UK has granted adequacy to a country, no additional safeguards (such as the IDTA or UK Addendum) are required. An adequacy decision means that the government has been assessed to provide adequate protection for personal data, and you may send personal data there without putting additional measures in place. But - remember that adequacy decisions are subject to review and change, so you must check for updates before you rely on an adequacy decision.
The Information Commissioner’s Office (ICO) provides a checklist to assess restricted transfers.
You cannot make the data transfer if you reach the end of the checklist without finding a provision permitting the restricted transfer.
What is a third country?
This is a country or territory outside the UK. A non-adequate third country lacks an adequacy decision.
The ICO’s guide to international transfers reviews and updates the countries deemed adequate, so you should check this over time for the most up-to-date list.
What are the UK’s specific international data transfer documents?
The UK’s IDTA and the UK Addendum are appropriate safeguards for international data transfers.
The IDTA is a standalone UK-specific agreement to cover data transfers, and the UK Addendum modifies the EU SCCs for UK compliance.
What are the EU SCCs?
The EU SCCs are contracts that the European Commission produces to safeguard personal data sent outside the EU to certain third countries. They look different from the UK IDTA since they adopt a modular format and cover separate provisions for different data-sharing scenarios. It’s impossible to use the EU SCCs alone under UK data protection law where necessary for your transfer - you’ll need to use them alongside the UK Addendum (as we’ll explain below).
What is the IDTA?
The IDTA is a legal standalone contract published by the UK ICO to safeguard personal data sent outside the UK to certain third countries. It is designed to be a user-friendly and straightforward document for organisations to use for international data transfers.
Should you use the IDTA or EU SCCs and UK Addendum?
The IDTA and the UK Addendum are alternative ways to protect UK personal data during restricted transfers. UK businesses have a choice to use either:
- The IDTA as a standalone document or
- The EU SCCs, with the UK Addendum attached. The UK Addendum modifies the EU SCCs to comply with UK data protection law. Organisations using the EU SCCs may adopt and incorporate the UK Addendum to comply with UK data protection laws.
Your organisation's approach depends on your operations. For example, international organisations operating across the UK and EEA jurisdictions will likely prefer the EU SCCs plus the UK Addendum rather than adopting the IDTA.
Organisations already implementing the EU SCCs for data transfers may find adopting the UK Addendum a quicker and simpler fix.
The IDTA, however, is a standalone agreement (unlike the EU modular approach) that a controller or a processor can use. Like the EU SCCs, it places contractual obligations on data exporters and importers, which also considers Schrems II's decision.
When considering the choice between the IDTA or EU SCCs and UK Addendum, consider factors such as:
- Whether your business transfers personal data from the UK only or from the EU
- How familiar are you with the EU SCCs? If you have spent considerable time putting in place EU SCCs, the UK Addendum and EU SCCs may be a viable option.
This is a complex topic; legal advice from a specialist data protection lawyer on which documentation suits your business is advisable. A data protection lawyer can consider your business locations and data flows and advise you on the most appropriate mechanism to adopt for your purposes.
Do I still need to carry out a transfer risk assessment?
Yes. If your business relies on an Article 46 transfer tool (such as the IDTA or the EU SCCs with the UK Addendum), you must conduct a Transfer Risk Assessment (TRA). This will allow you to assess the risk of the relevant transfer, including checking if you need to put in place extra safeguards for the transfer. It's also important to note the distinction between Transfer Impact Assessments (TIA) and Transfer Risk Assessments and their implications.
Key steps for compliant international data transfers
Consider the following steps as a business transferring personal data out of the UK using these appropriate safeguard documents:
- Adopt an approach aligned with your business operations when implementing an IDTA or UK Addendum to the EU SCCs.
- Scope all contracts where using the IDTA or the UK Addendum is required.
- Conduct a TRA to identify whether supplementary measures are required within the appropriate agreements.
In October 2024, the UK government introduced the Data (Use and Access) Bill, which aims to update the UK's data protection laws in various ways. One key proposed change is a changed data protection test for third countries around data transfers. Businesses should watch for these developments and how they could change the rules on international data transfers. We’ll continue to watch this space.
We understand that conducting transfer risk assessments or deciding whether to use the IDTA or the UK Addendum are complex tasks. Our specialist data protection solicitors are on hand to assist you in identifying any restricted transfers and ensure that you have adequate safeguards to ensure compliance with the UK GDPR regime.
