The IDTA and Addendum replace the old EU SCCs; which had remained a valid tool for UK companies to use when transferring UK personal data from the UK to countries deemed ’non–adequate’ aka ‘third countries’.
With the IDTA and Addendum coming into force, the UK position has been updated to provide for an equivalent to the new EU SCCs which came into force in June 2021 but did not apply in the UK post-Brexit. If you’re scratching your head over the EU SCCs, head over to our recent blog.
When should we use the IDTA?
The IDTA is a standalone contract intended for use where only UK personal data is being transferred to a third country and enables parties to take into account the commercial and legal terms agreed in their data processing / services agreements.
When should we use the Addendum?
The Addendum is designed for use as an add-on to the new EU SCCs where UK and EU personal data is being transferred to a third country. In such circumstances, the Addendum makes a number of amendments to the new EU SCCs so that the proposed data transfer works from a UK GDPR perspective (i.e. providing for the ICO as the relevant supervisory authority and UK governing law).
It is expected that the Addendum will be more commonly used than the IDTA by companies operating in the UK and EU as a means of streamlining their contractual processes (including intra-group data transfers) in order to limit the amount of paperwork required for their international data transfers.
Do I need to do a Transfer Risk Assessment?
Whether the IDTA or Addendum is used, companies transferring personal data to third countries have an additional administrative burden of being required to carry out a transfer risk assessment (“TRA”) prior to making any such transfer. The aim of the TRA is for consideration to be given as to whether the IDTA/Addendum provides appropriate safeguards for the proposed international data transfer, or whether additional steps and protections will need to be taken.
A copy of the relevant TRA must also be made available to the ICO on request.
When should we use the IDTA and Addendum?
From 21 March 2022: The IDTA and Addendum are in force, but there is a transition period until 21 September 2022 during which UK companies have the option to use either the IDTA or old EU SCCs in new contracts.
From 21 September 2022: The old EU SCCs can no longer be used and UK companies must implement the IDTA/Addendum (as applicable) into all new contracts where personal data is being transferred to a third country.
By 21 March 2024: All existing contracts entered into on or before 21 September 2022 which rely on the old EU SCCs as a valid transfer tool will need to be amended to incorporate the IDTA/Addendum (as applicable).
The ICO have stated that they will soon be publishing the below additional tools to provide support and guidance to organisations using the IDTA/Addendum and carrying out TRAs:
Clause by clause guidance to the IDTA and Addendum
Guidance on how to use the IDTA
Guidance on transfer risk assessments
Further clarifications on international transfers guidance