Since 1 January 2021, the UK has been able to produce its own SCCs for transfers made from the UK. Consequently, the UK’s new International Data Transfer Agreement (IDTA) and the Addendum to the ‘new’ EU SCCs were introduced on 21 March 2022.
The International Data Transfer Agreement (IDTA)
On 4 June 2021, the European Commission published new SCCs (the ‘new EU SCCs’) under the EU’s GDPR. The IDTA is the UK’s equivalent of the new EU SCCs. Like the ‘old’ SCCs, the IDTA covers data transfers from the UK to countries outside of the UK.
The International Data Transfer Addendum (Addendum)
The Addendum attaches to and incorporates the ‘new’ EU SCCs into contracts or data transfers from the UK to countries outside of the UK. The Addendum can be used to incorporate and modify the ‘new’ EU SCCs so that they can be used for data transfers outside of both the UK and the EU. This provides a time-saving option if you’re transferring data out of the EU anyway, as it doesn’t require aspects of the new EU SCCs to be repeated for the UK part of the transfer.
The ‘old’ SCCs
The ‘old’ SCCs refer to the UK’s standard contractual clauses, based on the EU’s old SCCs.
There are two sets of model clauses. One governs controller-to-controller transfers and the other controller-to-processor transfers.
Controller-to-controller transfers take place when a data controller transfers personal data to another data controller. Data controllers are the main decision-makers. They decided on the purposes for and means of processing personal data. In other words, the data controller is the person who says how and why personal data is processed.
Controller-to-processor transfers take place when a data controller transfers personal data to a processor. A data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the party acting on behalf of, and only on the instructions of, the data controller.