International transfers of personal data to a recipient outside of the UK may only take place if:

  1. the jurisdiction is deemed to have an adequate level of protection for data subjects’ personal data compared with that of the GDPR; or
  2. there are “appropriate safeguards” in place; or
  3. there are only occasional necessary transfers and a particular derogation my apply.

The countries deemed by the UK to have adequate data protection laws are few, including the European Economic Area (EEA) countries, Andorra, Argentina , Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

If personal data is to be exported from the UK to any other country then generally the most common “appropriate safeguard” utilised is the approved Standard Contractual Clauses (“SCCs”). Pre-Brexit the EU approved SCCs applied to the UK as they did to every EU country. However, new forms of SCCs approved by the EU were adopted on 4th June 2021 (“New SCCs”).

The UK’s answer to the New SCCs was and is the International Data Transfer Agreement (“IDTA”) which came into force on 21st March 2022.

As well as the IDTA, the UK adopted an addendum (“UK Addendum”) to the New SCCs which is convenient for businesses with data transfers subject to both EU and UK GDPR and/ or who may already have the New SCC’s in place.

Whilst many organisations have utilised the IDTA or the UK Addendum, some organisations have not and have legitimately continued to use the original SCCs. That option ends on 21st March 2024.

Accordingly, it will be a breach of UK GDPR/ Data Protection Act 2018 for organisations internationally transferring personal data relying on “appropriate safeguards” and utilising SCCs unless they do so utilising IDTA or the New SCCs and the UK Addendum.

You should contact us immediately if you need advice in this area to avoid the risk of incurring substantial fines.

Contact Howard Ricklow via email at howard.ricklow@wellerslawgroup.com or by phone on 020 7481 6396.