July 2, 2022

Volume XII, Number 183

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

UK Data Transfer Mechanisms: Key Takeaways for Employers

On 2 February 2022, the UK Information Commissioner’s Office (ICO) published the final form of its much-anticipated new International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.

The IDTAEU Addendum, and transitional provisions will now lay before Parliament and (unless objectives are raised, which is unlikely) become effective on 21 March 2022. Once effective, the IDTA and EU Addendum will replace the previous EU Standard Contractual Clauses (EU SCCs) and constitute the United Kingdom’s version of the EU SCCs.

Key takeaway points for employers include the following:

  • Provided that no objections are raised by Parliament, the IDTA and EU Addendum will become effective on 21 March 2022.

  • Any contracts entered into on or before 21 September 2021 on the basis of the “old” SCCs will continue to provide appropriate safeguards for the purposes of the UK General Data Protection Regulation (GDPR) until 21 March 2024.

  • From 21 March 2024, if an employer’s restricted transfers continue, the employer may make a restricted transfer under the UK GDPR by:

    • entering into a contract on the basis of the IDTA;

    • the EU Addendum (where EU SCCs are already in place, the EU Addendum may be annexed to the EU SCCs in order to satisfy the requirements of the UK GDPR);

    • Binding Corporate Rules; or

    • if the receiver is located in a third country or territory or is an international organisation, its coverage by UK “adequacy regulations” (see list of covered countries and territories).

Conducting a transfer risk assessment (TRA) continues to be a requirement in the United Kingdom, as it is in the European Union. A TRA is required to make sure that the actual protection provided by the IDTA or EU Addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume XII, Number 35
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Associate

Salvatore specializes in data protection and privacy law. He supports clients across the world with their regulatory data privacy compliance. He works with partners and associates across Ogletree Deakins’ international network to advise clients on the impact of global data privacy laws, the complexities of international transfers, and the practical steps for compliance solutions to the myriad data protection laws. He also writes a personal blog on data privacy and technology, which features regular data protection, privacy and security legal updates to help his readers...

44(0) 207 822 7632
Advertisement
Advertisement
Advertisement