UK ICO's new data transfer agreements – in force today, 21 March 2022

The IDTA is a new agreement which imposes a range of obligations on the data importer to ensure that it provides an equivalent level of protection to the UK GDPR for personal data transferred from the UK.

Like the Standard Contractual Clauses, the IDTA can be executed alongside an agreement which covers the provision of the services which include the data processing (a Linked Agreement).

Generally speaking, the IDTA is shorter and clearer than the new EC Standard Contractual Clauses. One of the reasons for this is that the IDTA does not have ‘modules’ which contain different terms depending on whether the exporter and/or the data importer are controller or processor of the personal data.

One of the consequences of this is that the IDTA does not include provisions necessary to meet the requirements of UK GDPR Article 28, which requires controllers to include certain provision in their contracts with processors. This is significant for UK controllers who use overseas processors as these businesses will need to include the provisions required by UK GDPR Article 28 in their main services agreement.

To avoid a point of uncertainty that has affected the EC Standard Contractual Clauses, the IDTA makes clear that it can be used whether the data importer is subject to the UK GDPR or not. If the data importer is subject to the UK GDPR, then a general obligation to comply with the requirements of the UK GDPR replaces several more specific obligations in the IDTA.

Like the EC Standard Contractual Clauses, the IDTA addresses the issues raised by the European Court of Justice decision in the Schrems II case, by requiring the data importer to conduct a transfer risk assessment in respect of their country’s laws. This is an assessment of whether the IDTA can provide appropriate safeguards in that country. This assessment must take into account any local laws and practices of the importing country which:

• Imposes obligations on the data importer and/or affects the data transferred in a manner that may impinge on the IDTA’s guarantee of an essentially equivalent level of protection to that afforded under the UK GDPR.
• Does not respect the essence of the fundamental rights and freedoms recognised by UK law, or exceeds what is necessary and proportionate in a democratic society to safeguard an important objective which is also recognised in UK law.

The ICO proposes to release a transfer risk assessment tool, which will assist organisations to conduct this assessment.

The Addendum is a relatively short addendum to the new EC Standard Contractual Clauses. It effectively ‘piggybacks’ off the EC Standard Contractual Clauses and essentially extends and adapts them for use in the UK. For example, it replaces references to the EU with the UK, to the EU GDPR with the UK GDPR, and to European supervisory authorities with the ICO. Aside from these changes to the jurisdiction, the obligations of the data exporter and the data importer under the Addendum are effectively identical to those under the EC Standard Contractual Clauses.

The Addendum is particularly useful for UK businesses who also have operations in the EU, and have already entered into the EC Standard Contractual Clauses with an overseas recipient. In those cases, the Addendum extends the operation of the EC Standard Contractual Clauses to cover personal data exported from the EEA or the UK, and means that the data exporter has the same compliance obligations for both territories.