The transitional arrangements to gradually phase out the use of EU standard contractual clauses ends 21st March 2024.
This means that all organisations that currently transfer data outside of the UK to a country without an adequacy decision and are still using the EU standard contractual clauses to legitimise that transfer, must enter into either the IDTA or the Addendum by 21st March 2024.
Background
The international data transfer agreement (IDTA) and the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (addendum) came into force in March 2022.
The IDTA and the Addendum replaced the EU standard contractual clauses for international transfer, in other words, they are the UK’s way of legitimising the transfer of personal data from the UK to another country that does not have an adequacy decision.
The documents were immediately of use back in 2022 but transitional arrangements were introduced to gradually phase out the use of the EU standard contractual clauses. The transitional arrangement end date was announced as 21st March 2024. All organisations which currently transfer data outside of the UK to a country without an adequacy decision and are still using the EU standard contractual clauses to legitimise that transfer, must enter into either the IDTA or the Addendum by this date.
Transfer risks assessment
Whilst both mechanisms are approved by UK parliament and can be used to legitimise a transfer from the UK, the Addendum is more appropriate for organisations operating across the UK and EU and therefore dealing with personal data of UK and EU residents. Whereas the IDTA is more tailored to transfers of UK residents’ personal data only.
In addition to implementing either the IDTA or the Addendum, organisations must carry out a transfer risk assessment to determine if the IDTA or Addendum provides enough protection on its own, if additional measures need to be implemented to protect the data or if the transfer cannot take place at all because the risks cannot be mitigated.
If you have any further questions on this, or need to implement either the IDTA or the Addendum, please contact sophiebrazier@schofieldsweeney.co.uk or karencrutchley@schofieldsweeney.co.uk.