Data protection grace period ends 21st March 2024

14th March 2024

The transitional arrangements to gradually phase out the use of EU standard contractual clauses ends 21st March 2024.

This means that all organisations that currently transfer data outside of the UK to a country without an adequacy decision and are still using the EU standard contractual clauses to legitimise that transfer, must enter into either the IDTA or the Addendum by 21st March 2024.

Background

The international data transfer agreement (IDTA) and the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (addendum) came into force in March 2022.

The IDTA and the Addendum replaced the EU standard contractual clauses for international transfer, in other words, they are the UK’s way of legitimising the transfer of personal data from the UK to another country that does not have an adequacy decision.

The documents were immediately of use back in 2022 but transitional arrangements were introduced to gradually phase out the use of the EU standard contractual clauses. The transitional arrangement end date was announced as 21st March 2024.  All organisations which currently transfer data outside of the UK to a country without an adequacy decision and are still using the EU standard contractual clauses to legitimise that transfer, must enter into either the IDTA or the Addendum by this date.

Transfer risks assessment

Whilst both mechanisms are approved by UK parliament and can be used to legitimise a transfer from the UK, the Addendum is more appropriate for organisations operating across the UK and EU and therefore dealing with personal data of UK and EU residents. Whereas the IDTA is more tailored to transfers of UK residents’ personal data only.

In addition to implementing either the IDTA or the Addendum, organisations must carry out a transfer risk assessment  to determine if the IDTA or Addendum provides enough protection on its own, if additional measures need to be implemented to protect the data or if the transfer cannot take place at all because the risks cannot be mitigated.

If you have any further questions on this, or need to implement either the IDTA or the Addendum, please contact sophiebrazier@schofieldsweeney.co.uk or karencrutchley@schofieldsweeney.co.uk.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality