Action required: Ensure compliance with UK Data Transfer Mechanism
In 2022, the UK government introduced new mechanisms for transferring personal data outside the country. Previously, companies relied on EU Standard Contractual Clauses (EU SCCs) for data transfers. However, post-Brexit, the UK introduced its own alternatives:
The International Data Transfer Agreement (“IDTA”)
– A equivalent of the EU SCCs for international data transfers for international data transfers from the UK to countries without equivalent privacy laws.
The international data transfer addendum (the “UK Addendum”)
– Amends the EU SCCs so that they are applicable under the UK GDPR for international data transfers from the UK to countries without equivalent privacy laws.
The two documents adopted by the ICO in March 2022 aim to ensure adequate protection for individuals’ data when transferring personal information from the UK to countries without an adequate level of data protection under the UK GDPR.
A transitional period was granted for businesses to update their data transfer agreements and incorporate the new transfer mechanism. In that regard, agreements signed before 21 September 2022 can rely on old EU SCCs until 21 March 2024 (provided there have been no modifications to the data transfer operations under those agreements).
By 21 March 2024, all agreements relying on the old EU SCCs for UK transfers must have been updated to either the IDTA or UK Addendum.
Any new agreements entered into force since 21 September 2022 must already be incorporating either the IDTA or the UK Addendum.
Next steps:
With the 21 March 2024 deadline approaching, it is recommended that you review your international data transfer agreements. In particular, review any existing agreements incorporating the old EU SCCs to begin updating these over to the new UK SCCs ahead of the statutory deadline.
It’s essential to note that this requirement applies specifically to data controllers who transfer the data of UK data subjects to third countries lacking an appropriate level of data protection.
Failing to update existing arrangements by the end of the grace period, and continuing to transfer personal data to third countries using the EU SCCs will result in a breach of the UK GDPR, and subsequently regulatory enforcement and sanctions. The ICO has the power to impose fines of up to £17.5 million or 4% of the total annual worldwide turnover (whichever is higher in the preceding financial year) on businesses for non-compliance.
What should you do:
Review your current data transfer agreements to incorporate the new UK data transfer mechanism before the mandatory deadline
Contact us at [email protected] for assistance to ensure compliance with the UK GDPR and avoid regulatory enforcement and fines.
Nous contacter
Nous espérons que ces informations vous seront utiles. Si vous avez besoin d'un représentant de l'UE, si vous avez des questions sur le GDPR ou si vous avez reçu une demande de SAR ou d'un régulateur et que vous avez besoin d'aide, n'hésitez pas à nous contacter à tout moment. Nous sommes toujours heureux de vous aider...
L'équipe locale GDPR.
Recent blogs
AI in Recruitment: Balancing Innovation with GDPR Compliance
AI in recruitment is transforming the HR landscape, offering unprecedented efficiencies and imp
The Future of Finance: Adapting to AI and Data Privacy Laws
The rapidly evolving landscape of financial technology is witnessing a significant transformation w
Navigating the Contradictions: Automated Decision-Making and Regulatory Legislation in AI Systems
The Dilemma of Automated Decision-Making At the heart of AI systems lies the promise of aut