Handling international transfers of personal data in accordance with UK GDPR
Is the restricted transfer covered by the “adequacy regulations”?
The UK GDPR restricts the transfer of personal data to receivers outside the UK which are not covered by UK adequacy regulations.
UK adequacy regulations set out in law that the legal framework in a country, territory, sector or international organisation has been assessed as providing adequate protection for individuals’ rights and freedoms for their personal data.
Currently, the UK adequacy regulations include the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020. These include a full finding of adequacy about the following countries and territories: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Further adequacy decisions are expected to be issued in due course by the UK government.
Standard contractual clauses and safeguards
Where no adequacy decision is in place for a particular country, there is a list of appropriate safeguards in Article 46 of the GDPR that can be used, including standard contractual clauses (SCCs).
From 21 September 2022, any new and amended contracts and agreements involving restricted data transfers (i.e. transfers of personal data to receivers which are not covered by UK adequacy regulations) will need to be covered by one of the new data protection clauses approved by the UK Information Commissioner’s Office (ICO) for restricted transfers from the UK (unless an exemption applies). These new data protection clauses take two forms and organisations can chose which form they wish to use:
- an International Data Transfer Agreement (IDTA) which is a standalone document providing appropriate safeguards for a restricted transfer of personal data from the UK; or
- an International Data Transfer Addendum to the new European Commission SCCs (Addendum) which is intended to be issued in conjunction with the new SCCs issued by the European Commission. You should note that:
- the new SCC’s are not valid for restricted transfers under UK GDPR unless they are issued in conjunction with the UK’s own Addendum; and
- From 21 March 2024, the legacy EU SCC’s will cease to be valid and if your restricted transfers are continuing from this date, you must enter into a new contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR.
It is important to remember that before relying on SCCs, the IDTA or the Addendum, it is still necessary to undertake a transfer impact assessment to ensure the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
Steps to follow when transferring personal data outside the UK
When transferring any personal data outside of the UK, the following steps should be followed:
- Consider whether the restricted transfer of personal data is necessary in order to meet your purposes. If those purposes can be achieved without transferring personal data outside of the UK then the restricted transfer should not take place.
- Check whether the country / territory / sector to which the personal data are being transferred is covered by UK adequacy regulations.
- If the country / territory / sector to which the personal data are being transferred is not covered by UK adequacy regulations, you will need to put in place one of the appropriate safeguards referred to in the UK GDPR unless an exemption applies. The most common safeguards for new transfers are the IDTA or the EU SCCs with the Addendum.
- Undertake a risk assessment to ensure you are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. In November 2022, the ICO published updated guidance on international data transfers including Transfer Risk Assessment guidance and a TRA tool.
- Consider what supplemental measures you have in place or which you can implement, if your risk assessment has identified issues. The data recipient may be able to assist you in this regard. The fine levied by the Irish data protection authority against Facebook is a stark reminder that the EU SCCs alone are not always sufficient to ensure the compliance of a transfer. Supplemental measures may also be required.