Since 1 January 2021, the UK has been producing its own SCCs for transfers made from the UK, and new transfer agreements, which came into force on 21 March 2022.
The ‘old’ SCCs
The ‘old’ SCCs refer to the UK’s standard contractual clauses, based on the EU’s old SCCs.
There are two sets of model clauses. One governs controller-to-controller transfers and the other controller-to-processor transfers.
Controller-to-controller transfers take place when a data controller transfers personal data to another data controller. Data controllers are the main decision-makers. They decided on the purposes for and means of processing personal data. In other words, the data controller is the person who says how and why personal data is processed.
Controller-to-processor transfers take place when a data controller transfers personal data to a processor. A data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the party acting on behalf of, and only on the instructions of, the data controller.
International Data Transfer Agreement (IDTA)
On 4 June 2021, the European Commission published new SCCs under the EU’s GDPR. The IDTA, which came into force on 21 March 2022, is the UK’s version of the EU’s SCCs (also known as the ‘new EU SCCs’). Like the ‘old’ SCCs, the IDTA will cover transfers from the UK to countries outside of the UK under the UK GDPR.
International Data Transfer Addendum (Addendum)
The Addendum, which came into force on 21 March 2022, attaches to and incorporates the ‘new’ EU SCCs. Once in force, the Addendum can be used to incorporate and modify the ‘new’ EU SCCs so that they can be used for data transfers that are restricted under the UK GDPR.