Table of Contents
In Short
- UK businesses transferring personal data internationally must comply with UK GDPR and use either the UK IDTA or UK Addendum to EU SCCs.
- A Transfer Risk Assessment (TRA) is required before using these transfer mechanisms.
- Some countries (such as those with UK adequacy decisions) and the UK-US Data Bridge allow transfers without additional safeguards.
Tips for Businesses
Check whether your destination country has a UK adequacy decision before using SCCs or an IDTA. If not, ensure the correct transfer mechanism is in place. Conduct a Transfer Risk Assessment before proceeding. If uncertain, seek legal advice to avoid compliance breaches and potential penalties.
If your business transfers personal data outside the UK, you must follow strict data protection law rules under the UK General Data Protection Regulation (UK GDPR). Many companies transfer data internationally without realising it (for example, when using cloud services, IT support, or suppliers) based overseas. While most businesses understand the need to protect personal data, the rules on using Standard Contractual Clauses (SCCs) and other transfer mechanisms are fast-moving and have seen changes in recent years. These rules may be confusing for a small business to navigate. This article explores how SCCs apply to data transfers, how UK and EU rules differ, and why this matters for companies sending personal data outside the UK.
What are SCCs and Why are They Important?
The EU Commission introduced SCCs to provide a legal framework for businesses to transfer personal data outside the European Economic Area (EEA) and maintain GDPR protections. These are prescribed contracts that ensure the adequate protection of personal data when transferred outside the EEA. The current modernised EU SCCs follow a modular structure, which means businesses must select the proper clauses depending on their transfer scenario.
However, since Brexit, UK businesses have not been able to rely solely on EU SCCs for UK data transfers. To comply with UK data protection laws, the UK has introduced its own mechanisms. The International Data Transfer Agreement, or IDTA, provides a UK-specific contract for data transfers, and the UK Addendum modifies EU SCCs to make them work under UK GDPR.
If your business transfers personal data from the UK, it cannot rely on EU SCCs alone. To comply with the UK GDPR and the Data Protection Act 2018, your business must either use the UK IDTA or attach the UK Addendum to EU SCCs.
How Do UK Data Transfer Documents Compare With the EU’s SCCs?
The UK takes a different approach to international data transfer documents.
While the EU SCCs apply to transfers from the EEA, UK GDPR requires businesses to either use the UK’s own IDTA or attach the ‘UK Addendum’ to EU SCCs. Unlike EU SCCs, which use a modular system, the UK IDTA provides a single, standalone contract that applies to all types of data transfers (but must be completed appropriately).
For businesses operating in the UK and the EU, using the UK Addendum alongside EU SCCs may be the simplest way to ensure compliance. However, this complex question requires several considerations, depending on the relevant business and its data transfers. If companies are unsure about whether to use the EU SCCs, the UK Addendum, or the ICO’s IDTA, they should seek legal advice.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Should Businesses Know About EU SCCs and the UK’s Data Transfer Documents?
These regulatory-approved documents can be hugely helpful for businesses. Since most terms in these agreements are standardised, businesses can streamline contract negotiations. This structure makes it easier for companies to integrate them into their projects by potentially reducing contract negotiation delays.
Since the EU SCCs, IDTA, and UK Addendum are pre-approved agreements with little room for negotiation, businesses must take the time to understand and complete them correctly to avoid compliance risks. Rolling them out without understanding precisely what they mean is not enough.
Businesses must carefully review their obligations before signing the documents- as they impose strict compliance duties, and companies must ensure they can meet all their commitments.
If there is any uncertainty, you should seek legal advice before proceeding. For the EU SCCs, businesses should seek legal advice from local EU lawyers.
Transfer Risk Assessment
Businesses must also conduct a Transfer Risk Assessment (TRA) and document their findings before relying on these mechanisms. A TRA helps companies assess whether the recipient country provides adequate data protection and identify whether additional safeguards are necessary.
Are SCCs or the IDTA Always Required for International Data Transfers?
Businesses subject to the UK GDPR rules do not always need EU SCCs with a UK Addendum or an IDTA for all international data transfers.
This factsheet sets out how your business can become GDPR compliant.
For example, the UK has granted certain countries an adequacy decision upon which businesses can rely. In simple terms, countries deemed ‘adequate’ meet UK GDPR standards for protecting personal data so companies can transfer data without additional safeguards. The ICO publishes a list of adequacy-approved countries, which businesses should check before deciding on a transfer mechanism.
The UK also approved the UK-US Data Bridge as an extension to the Data Privacy Framework, allowing transfers to certified US organisations under UK GDPR. If a US recipient is certified under this scheme, businesses may not need SCCs or an IDTA. However, a valid transfer mechanism remains necessary if the recipient is not certified, and this mechanism may not apply to all data transfers to the US.
Exceptions
Businesses may also be able to rely on limited exceptions under UK GDPR. However, these exceptions apply only in specific cases and require careful assessment. If you wish to rely on an exemption for an international data transfer, you should consider legal advice from a data protection solicitor.
Key Takeaways
Businesses that transfer personal data outside the UK must ensure compliance with UK GDPR. EU SCCs alone are not valid under UK law, so companies must either use the UK IDTA or attach the UK Addendum to EU SCCs. Businesses must also conduct a Transfer Risk Assessment before relying on SCCs or the IDTA. If you need support understanding whether you need international data transfer documents for your data transfers, you can seek legal advice from a data protection solicitor.
If you need advice on UK GDPR international data transfers, our experienced data and privacy lawyers can help as part of our LegalVision membership. For a low monthly fee, you’ll have unlimited access to lawyers who can answer your questions, review your data protection policies, and guide you through complex compliance issues. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Not always. If your business transfers data to a country with a UK adequacy decision, you do not need to use Standard Contractual Clauses or the International Data Transfer Agreement. Similarly, you may not need these agreements if your business transfers data to a US company certified under the UK-US Data Bridge. You may also be able to rely on certain legal exceptions under UK GDPR, but these only apply in limited circumstances.
The IDTA is a legally approved contract published by the ICO. This allows businesses to transfer personal data outside the UK and comply with the UK GDPR.
We appreciate your feedback – your submission has been successfully received.
