You may transfer personal data when the organisation receiving the personal data has provided appropriate safeguards. Appropriate safeguards may be put in place via:
Binding corporate rules (BCRs)
International data transfers between organisations within a corporate group (eg multinational companies or companies involved in a joint venture) may take place on the basis of Binding Corporate Rules (BCRs). BCRs require approval from data protection authorities (eg the ICO). However, once such approval is obtained, individual transfers can be made under a BCR without requiring further approval. A BCR may be created for a particular corporate group and may be tailored to meet its businesses’ specific data protection needs.
BCRs are like a code of conduct that organisations within the group must follow when making international data transfers. They allow organisations to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
For more information on BCRs, read the ICO’s guidance.
Model clauses
International data transfers may take place on the basis of standard data protection clauses known as ‘standard contractual clauses’ (SCCs) or ‘model clauses’. Model clauses are contractual clauses that are used when you incorporate them into (ie legally include them in) a contract with the party receiving the data that you’re transferring.
The clauses must be used (essentially) as they stand. Any additional contractual language added to them should not contradict them in any way.
Model clauses for data transfers out of the UK need to be approved or issued by the UK Government. Before Brexit, the UK used the EU’s model clauses. Since 1 January 2021, the UK has had the power to produce its own model clauses. This has occurred, and in March 2022 two new options for data protection model clauses came into effect in the UK:
-
International Data Transfer Agreements (IDTAs) - this is effectively the UK’s new equivalent to the EU’s new SCCs. The IDTA is a comprehensive contract covering data protection measures (eg security requirements). It can be used on its own to safeguard transfers of personal data out of the UK
-
the International Data Transfer Addendum to the new EU SCCs (the Addendum) - the Addendum is used in conjunction with, and consequently incorporated into, the new EU SCCs. It is designed to be used when transferring data outside of both the UK and the EU. It provides a time-saving option if you’re transferring data out of the EU anyway, as it doesn’t require aspects of the new EU SCCs to be repeated for the UK part of the transfer
As of 21 September 2022, the IDTA or the Addendum must be used for all new data processing contracts that require model clauses.
Transitional provisions
Contracts concluded before 21 September 2022 using the old EU SCCs count as adequately safeguarded for UK GDPR purposes until 21 March 2024, assuming that the processing carried out under a contract doesn’t significantly change during this time. After this date, these existing contracts must ensure they have an IDTA or Addendum in place.
The EU SCCs
Note that, on 4 June 2021, the European Commission published new SCCs under the EU’s GDPR (the ‘new EU SCCs’). These are not valid for restricted transfers from the UK.
Certifications
International data transfers may take place on the basis of certifications. Certification schemes must be approved by the ICO and must include safeguards for protecting individuals’ data protection rights during restricted transfers. Certifications provide organisations with a formally recognised confirmation of compliance with UK data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.
For more information about this complex area of law, Ask a lawyer for advice and read the ICO’s guidance.