ICO now requires standard contractual clauses
Businesses that use standard contractual clauses to safeguard personal data when making transfers of that data to countries located outside of the UK and EEA now need to use the new standard contractual clauses. In force since 21 March 2024, the new UK standard contractual clauses are one method for firms to make those restricted transfers, via a contract incorporating those standard clauses.
Firms that entered into the old EU standard contractual clauses issued by the European Commission under the old Data Protection Directive before 21 September 2022 will now need to have updated their contracts to include the new standard clauses – either on the basis of the International Data Transfer Agreement or the International Data Transfer Addendum – or they will need to use another method to make the restricted transfer.
RELATED ARTICLES:
RELATED RESOURCES:
Article 44 (general principle for transfers) states that personal data that is subject to the UK GDPR cannot be transferred to countries without an adequacy agreement, unless appropriate safeguards have been met. In practice this means that transfers of personal data for processing outside of the UK – unless an adequacy agreement exists - cannot take place unless a legitimate transfer mechanism is used, either a legally binding and enforceable instrument between public authorities or bodies, UK binding corporate rules (UK BCRs) or the standard data protection contractual clauses.
Article 46 sets out the list of appropriate safeguards for transfer of personal data to third countries without an adequacy agreement to ensure that “both you and the receiver of the restricted transfer are legally required to protect people’s rights and freedoms about their personal data.”
Exporters of personal data can use the International Data Transfer Agreement or the addendum as a tool to comply with this requirement; standard contractual clauses are the most commonly used appropriate safeguard.
Transfer impact assessments are a requirement when transferring personal data that is subject to the UK GDPR. They are also known as ‘local law assessments’ which summarises what they aim to do, which is to provide those required safeguards and enforceable rights for people whose data you are transferring.
The ICO sets out that the transfer risk assessment must consider:
Risks to people’s rights arising in the destination country from third parties accessing the information that are not bound by the Article 46 transfer mechanism, in particular government and public bodies
Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
The UK International Data Transfer Agreement (IDTA), a standalone agreement that implements the UK’s own version of the Standard Contractual Clauses for international data transfers to third countries, came into force in March 2022, with the deadline for the new standard contractual clauses to be in place on 21 March 2024.
Firms that rely on the EU standard contractual clauses need to note that they won’t now, on their own, be adequate for UK/third country data transfers, so the UK Addendum will need to be appended to EU Standard Contractual clauses. All contracts will now need to have been updated to use either the International Data Transfer Agreement or the UK Addendum.
We support firms with their data protection regimes in a number of ways. We offer an Understanding The Data Protection Regulation (All Staff) online course that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion. We also offer a senior version, designed for those in senior management.
Comments