New UK data protection clauses for restricted transfers

New UK data protection clauses for restricted transfers

From today, UK businesses now have two new transfer tools for use to comply with UK GDPR when making restricted transfers – the International Data Transfer Agreement (IDTA) and the UK Addendum (that hooks onto the New EU SCCs).


Before and after Brexit, UK businesses relied on a set of Standard Contractual Clauses (known as the Old EU SCCs) as the safeguard mechanism for transferring data outside the UK to third countries and international organisations.

These Old EU SCCs were rather restrictive in nature so in June 2021 the European Commission adopted new SCCs (New EU SCCs), however these could only be used by EU parties because the UK had already left the European Union when they were implemented. As a result, UK businesses have had to continue using the Old EU SCCs.

Now the UK government has provided its own transfer mechanism in the form of the IDTA and the UK Addendum for UK businesses to transfer personal data outside the UK to ‘third countries’ or international organisations.

What does this mean for your business?

As a UK data exporter, you now have six months (until the 21 September 2022) to stop using the Old EU SCCs in any new contracts which requires a transfer mechanism and 24 months (21 March 2024) to ensure your entire portfolio of contracts are updated to use either the IDTA or UK addendum.

If you’d like to learn more about restricted transfers and which approach is best to adopt, the IDTA or the addendum, then take a look at our new guide explaining data transfers from the UK.

Transfer Risk Assessments

In addition to implementing the IDTA or UK addendum, organisations must still carry out a transfer risk assessment. This is to ensure there are suitable safeguards in place to provide protection which is essentially equivalent to the principles underpinning UK data protection laws.

Our data protection and cross border compliance expert Lillian Tsang adds:

This is a positive step forward for businesses as the Old EU SCCs only consider the controller-to-controller transfer or the controller-to-processor transfer. The IDTA and the UK addendum provides more practical solutions by including an exporting processor into the contractual relationship.

'Businesses now have two challenges, firstly to assess which approach they should adopt into their contracts, the IDTA or UK addendum. And then to migrate their suite of contracts to these new transfer mechanisms.'

International transfers can be a time consuming and often complex exercise. If you’d like help with any aspect of GDPR, contract remediation or TRAs, our friendly team of data protection and compliance solicitors are here to help.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry