Knowledge Hub
for Growth


Transferring personal data out of the UK: the IDTA and UK addendum explained

If your business transfers personal data out of the UK, you will need to ensure that your transfers comply with UK international data transfer laws.

Here we discuss the UK’s International Data Transfer Agreement (IDTA) and UK addendum and how these documents can serve as appropriate safeguards for international data transfers.

What are the UK standard contractual clauses (UK SCCs)?

The UK’s International Data Transfer Agreement (IDTA), with an addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum), came into force on 21 March 2022.

Collectively these are essentially the UK’S standard contractual clauses (UK SCCs), the UK version of the EU standard contractual clauses (new EU SCCs).

The IDTA is a legal contract which has been published by the UK ICO to safeguard personal data which is sent outside of the UK to certain third countries. The IDTA is designed to be a user-friendly and simple document for organisations to use for international data transfers.

In contrast, the EU SCCs are contracts which have been produced by the European Commission, which are for the purposes of safeguarding personal data which is sent outside of the EU to certain third countries. The EU SCCs look different to the UK IDTA – they adopt a modular format and include separate provisions for various types of data-sharing scenarios.

UK businesses have a choice to use either:

  • The IDTA as a standalone document; or
  • The EU SCCs, with a specific UK Addendum document that modifies the EU SCCs to comply with UK data protection law. It is essential that organisations using the EU SCCs adopt the UK Addendum for the purposes of compliance with UK data protection laws.

What is a restricted transfer?

This transfer is covered by Chapter V of the UK GDPR (Retained EU General Data Protection Regulation (EU 2016/679)). The UK GDPR restricts transfers of personal data outside the UK unless there is a provision permitting the restricted transfer that complies with the UK GDPR.

Data exporters in the UK can use the IDTA or the EU SCCs with the UK Addendum as a transfer mechanism when making a restricted transfer.

Essentially a restricted transfer may take place if the data importer is located in a third country covered by the UK adequacy regulations or adequate safeguards, such as the UK SCCs.

The Information Commissioner’s Office (ICO) provides a checklist to assess restricted transfers and whether they can take place:

  1. Are we planning to make a restricted transfer of personal data outside of the UK?

    If not, you can make the transfer. If yes go to Q2.

  2. Do we need to make a restricted transfer of personal data to meet our purposes?

    If not, you can make the transfer without any personal data. If yes go to Q3.

  3. Are there UK ‘adequacy regulations’ about the country or territory where the receiver is located or a sector which covers the receiver?

    If yes, you can make the transfer. If no go to Q4.

  4. Are we putting in place one of the ‘appropriate safeguards’ referred to in the UK GDPR, such as the IDTA or Binding Corporate Rules?

    If yes, go to Q5. If no go to Q6.

  5. Having carried out a risk assessment, are we satisfied that for the data subjects of the transferred data, the relevant protections under the UK data protection regime will not be undermined?

    If yes, you can make the transfer. If no, go to Q6.

  6. Does an exception provided for in the UK GDPR apply?

    If yes, you can make the transfer. If no, you cannot make the transfer in accordance with the UK GDPR.

Should you reach the end of the checklist without finding a provision permitting the restricted transfer, then you will be unable to make that restricted transfer.

What is a third country?

This is a country or territory outside the UK. A non-adequate third country is one that lacks an adequacy decision. An adequacy decision means that the country has been assessed to provide adequate protection for personal data and you may send personal data there without putting additional measures in place.

The ICO’s guide to international transfers duly reviews and updates the countries which are deemed to be adequate.

How should transfers be made?

Organisations whose existing contracts relied on the old EU SCCs could previously consider them valid until 21 March 2024, provided the underlying data processing operations remained unchanged. This grace period has now passed. As a result, legacy contracts must now be reassessed and, where appropriate, updated to incorporate the IDTA or the new EU SCCs and the UK Addendum.

Which approach should you adopt – the IDTA or EU SCCs and UK Addendum?

The IDTA and the UK Addendum are alternative ways to ensure UK personal data is protected where there is a restricted transfer.

The approach your organisation uses depends on your operations, for example, international organisations that have operations across the UK and EEA jurisdictions will likely prefer the new EU SCCs plus the UK Addendum, rather than adopting the IDTA. The UK Addendum simply replaces terms that are EU specific with UK specific language. Organisations that have already implemented the new EU SCCs for data transfers may find adopting the UK Addendum as a quicker and simpler fix.

The IDTA, however, is a standalone agreement (unlike the new EU modular approach), that can be used by a controller or a processor. Just like the new EU SCCs, it places contractual obligations on Data Exporters and Data Importers which also considers the Schrems II decision.

When considering the choice between the IDTA or EU SCCs and UK Addendum, consider factors such as:

  • Whether your business transfers personal data from the UK only, or also from the EU.
  • How familiar are you with the EU SCCs? If you have spent considerable time already putting in place EU SCCs, the UK Addendum and EU SCCs may be a viable option.

This is a complex topic and legal advice from a specialist data protection lawyer on which documentation is suitable for your business is advisable. A data protection lawyer can consider your business locations, and its data flows, and can advise on the most suitable mechanism to adopt for your purposes.

The ICO, in due course, will publish tools to provide support to organisations, these will consist of:

  • Clause-by-clause guidance to the IDTA and Addendum.
  • Guidance on how to use the IDTA.

Do I still need to carry out a transfer risk assessment (TRA)?

In short, yes. You will need to carry out a TRA if you are making a restricted transfer, and you wish to rely on one of Article 46 transfer tools.

A TRA is essentially a mandatory risk assessment for restricted transfers being made from the UK to assess the risks of the data transfer and whether any additional safeguards are required to ensure an adequate level of protection for the personal data being transferred.

The Schrems II judgement emphasises that before you rely on an Article 46 transfer tool, you must conduct a risk assessment. All UK-based Data Exporters must carry out a TRA for restricted transfers.

To assist companies, the ICO has published transfer risk assessment guidance and a tool.

The tool will help determine whether the IDTA can provide sufficient safeguards or whether further protections are required before the restricted transfer takes place.

Contract remediation and next steps

Consider the following next steps as a business transferring personal data out of the UK:

  • Adopt an approach in line with your business operations when determining whether to put in place an IDTA or UK Addendum to the new EU SCCs.
  • Scope all contracts where the use of the IDTA or the UK Addendum are required.
  • Conduct a TRA to identify whether supplementary measures are required within the appropriate agreements.

We understand conducting transfer risk assessments or deciding whether to use the IDTA or the UK Addendum are complex tasks. Our specialist lawyers are on hand to assist you in identifying any restricted transfers and ensure that you have adequate safeguards in place to ensure compliance with the UK GDPR regime.

About our expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is an experienced data protection and privacy lawyer who qualified in 2008. She advises clients on a broad range of matters - from strategic compliance with a global stance to day-to-day operations. Her role also includes Harper James' Head of DPOaaS division (Data Protection Officer as a Service), where we act as the external DPO for a business or provide support to existing DPOs.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry