On 2 February 2022, the Department for Digital, Culture, Media & Sport laid before Parliament the final text for:
These are expected to come into force on 21 March 2022, provided that no objections are raised.
This is welcome news for businesses that are transferring personal data outside of the UK, which until now have been reliant on outdated EU Standard Contractual Clauses which pre-dated the EU GDPR. The revised safeguards now align with the UK GDPR and Data Protection Act 2018, whilst also taking into account the Schrems II ruling from July 2020.
Unlike the modular approach taken by the EU’s updated Standard Contractual Clauses, the IDTA is one agreement which covers the various plausible controller, processor and sub-processor relationships between the data exporter and data importer. The parties simply complete Part 1 of the IDTA to specify the nature of their relationship.
The IDTA must be used for transfers of personal data from the UK to data importers in third countries, even where the data importer is itself subject to the UK GDPR as a result of the UK GDPR’s territorial scope provisions. These territorial scope provisions extend the regulation to cover processing by controllers and processors not established in the UK, if their processing activities relate to the offering of goods or services to data subjects in the UK or the monitoring of behaviour of data subjects in the UK.
The ICO has committed to publishing clause-by-clause guidance on the IDTA and UK Addendum, as well as guidance on using them and transfer risk assessments, all of which will follow soon.
We will be releasing further commentary on the IDTA and UK Addendum in due course. If you have any questions, please contact our Data Protection team.