On 21 March 2022, a set of two alternative personal data transfer mechanisms came into force. These are UK’s equivalents of the new EU standard contractual clauses adopted in June 2021. The mechanisms were developed as a response to the CJEU’s decision in the Schrems II case. They are designed to ensure that the restricted transfer to a country or organization not providing the “adequate protection” is, nonetheless, carried out in accordance with the requirements of the Article 44 of the UK GDPR.
Getting Familiar With Standard Contractual Clauses
The protection offered by the GDPR continues to apply. This holds even when the personal data afforded the GDPR protection is transferred outside the EU territory. The GDPR envisages several data transfer mechanisms that essentially ensure a level of protection for data subjects remain substantially the same after the international transfer has taken place. These mechanisms consist of mechanisms set up on regional, organizational or company-wide level. They are not connected to a specific data transfer, such as adequacy decisions, binding corporate rules and codes of conduct. Mechanisms conceptualized in a way allowing to be used and adopted in respect to an individual international data transfer, for example, standard contractual clauses, are also disconnected.
Standard contractual clauses (SCC) is a standard form contract containing a set of provisions ensuring cross-border data transfer to a territory or organization not covered by the adequacy decision and not subject to binding corporate rules, codes of conduct or individual derogation nonetheless includes appropriate data protection safeguards that will ensure the level of protection of rights and freedoms of data subject is not undermined by the transfer.
Current Background Of The Standard Contractual Clauses
To this date, the European Commission adopted standard contractual clauses twice. The first, consisting of three separate standard form contracts, were adopted under the previous Data Protection Directive 95/46 (“old SCC”). Observations by the ECJ in Schrems II conclude, that old SCC do not offer adequate protection of transferred personal data. They need to be supplemented by the additional data protection safeguards. The Commission replaced the old SSC on 4 June 2021 with modernized standard contractual clauses. These consist of one adaptable standard form contract (“new EU SCC”). The new EU SCC now include an additional annex. This is where parties to the transfer can set forth sufficient guarantees for technical and organizational measures. This ensures that the processing of personal data transferred to a third-country meets the requirements of the GDPR.
The provisions of the GDPR, including regulation of cross-border transfers, the old SCCs and the outcome of the Schrems II decision were transferred into the UK legal system at the time the UK exited the EU. Therefore the new EU SCC, adopted by the Commission after the Brexit, as such do not apply in the UK. Thus, to ensure the standard contractual clauses in force in the UK provide appropriate safeguards, two separate standard form contracts were prepared by the UK Information Commissioner (“ICO”). After no objections had been raised by Parliament, they came into force on 21 March 2022.
Newly Adopted Set Of Cross-Border Transfer Mechanisms
The newly adopted standard data protection clauses transfer mechanisms consist of two alternative standard form contracts. They are called the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum to the new EU SCCs (“UK Addendum”). Both are designed to essentially replace the use of the old SCC for restricted transfers.
The IDTA and the UK Addendum as alternatives using “one-size fits all” provide for flexible yet simple application. Companies subject to the UK GDPR are free to decide which of the IDTA or the UK Addendum to use. They decide considering the nature and properties of the individual restricted transfer.
IDTA – International Data Transfer Addendum
The IDTA as a standalone agreement is appropriate for restricted transfers subject to the UK GDPR only and carried out by the UK-based companies. The mechanism should be adopted for transfers for which no obligation to enter into the new EU SCC exists. Though in substance similar to the new EU SCC, the IDTA respects and considers the commercial character of dealing in the context of which it is applied. For this reason, key features of the IDTA should be noted (majority to be considered in comparison to the new EU SCC).
The IDTA, unlike the new EU SCC, may also be used to provide appropriate safeguards in situations of cross-border transfers where the UK GDPR applies not only to the exporter but also to the importer. Furthermore, it can be used in any situation of cross-border transfer. It is not limited to the types of relationships envisaged by the new EU SCC’s modules. For example, the IDTA may be used for transfer of personal data between two independent processors when so instructed by the controller.
Link To The Main Agreement
The provisions of the IDTA presuppose the IDTA is entered into in addition to a main agreement being concluded between the parties to the transfer. The provisions of this main agreement, be it the MSA, DPA or other, also govern the IDTA, provided the appropriate safeguards under the IDTA are not affected.
In line with the personal data processing principles, the IDTA requires parties to specify the first review date and the review period for conducting all subsequent reviews of the technical and organizational measures adopted.
Extra Protection Clauses. The IDTA allows the parties to the transfer to include the supplementary measures required by the ECJ in the Schrems II case to be included in the text of the agreement.
Following any changes to the template IDTA by the ICO, the IDTA adopted by the parties to the transfer is automatically amended to reflect those changes. However, the parties to the IDTA may decide to allow one or the other party to terminate the IDTA. This can be done when the changes made result in substantial, disproportionate, and demonstrable increase in a party’s direct costs and/or risks.
Unlike the new EU SCC, the IDTA does not only allow the resolution of disputes through the courts. It also provides for the arbitration as an additional alternative dispute resolution mechanism.
On the downside, the IDTA does not include all mandatory processor obligations required under Article 29 of the UK GDPR. Therefore, a separate data processing agreement must be concluded between the parties when transferring personal data under the controller-processor relationship.
UK Addendum And Standard Contractual Clauses (SCC)
The UK Addendum was designed for use in transfers of personal data subject to EU GDPR and UK GDPR. It shall be used as an “add-on” to the new EU SCC to modify the provisions of the new EU SCC. Therefore it fits the post-Brexit environment and the provisions of the UK GDPR. Therefore the UK Addendum is best suited to be used by larger multinational organizations. They can ensure compliance with the UK as well as the EU data protection regulations by using one data transfer agreement. Such agreement should consist of the UK Addendum alongside the new EU SCC.
The UK Addendum being the “add-on” to the new EU SCC, it assumed some of the drawbacks of the new EU SCC. The main one being the narrower scope of application. As such, it cannot be used in situations where the importer is subject to the UK GDPR. It also can’t be used in any situation (i.e. relationship) not envisaged by the modules of the new EU SCC.
What Are The Key Points?
Regardless of its reliance on the new EU SCC, the UK Addendum incorporates provisions that make it easy to use:
- Easy Execution. The UK Addendum can be executed and incorporated in any way that makes it legally binding on the parties. All while disregarding the terms of the new EU SCC, which require the parties to appropriately affix the signatures.
- Automatic Revision. Like the IDTA, the UK Addendum is to be amended automatically when changes are made to the template UK Addendum by the ICO. Likewise parties to the UK Addendum, have an option to arrange for termination under following conditions. Where revisions cause a substantial, disproportionate, and demonstrable increase in a party’s direct costs and/or risks.
What Follows The Newly Adopted Standard Contractual Clauses
The ICO’s Guide to the GDPR has already been amended to reflect the newely adopted standard protection clauses mechanisms. Furthermore, the ICO is expected to publish a further guidance for organizations on use of the IDTA and UK Amendment. This includes the clause-by-clause guidance.
Dates to remember
21 March 2022 – You may start using the IDTA and the UK Addendum for your restricted transfers. You should also consider updating your template transfer arrangements appropriately.
21 September 2022 – Making restricted transfer pursuant to standard data protection clauses transfer mechanism? You must use the IDTA or the UK Addendum.
21 March 2024 – Data transfer arrangements consisting of old SCC shall be replaced with the IDTA or the UK Addendum.
Read More Of Our Articles: