Update to Advisory Note 02/2022 published in February 2022
UK-based organisations sending personal data outside the UK or making it available to
organisations in other countries need to comply with the rules on international transfers.
In some cases, as this document will explain, it may be necessary to enter into a contract to
provide safeguards for such transfers of personal data.
In March 2022, The Information Commissioner’s Office (ICO), the UK’s data protection
regulator, issued standard clauses for this purpose, called the International Data Transfer
Agreement (IDTA). They also issued a UK Addendum to the standard contractual clauses
approved by the European Union in 2021 (2021 EU SCCs).
Prior to the UK’s withdrawal from the European Union, some UK-based organisations may
have signed previous versions of the EU SCCs. Any pre-2021 EU SCCs already signed will
continue to be valid until 21st March 2024.
Since March 2022, UK-based organisations have been able to use either the IDTA or the
2021 EU SCCs with the UK Addendum where such contracts are required. From 21st
September 2022, these are the only standard contractual clauses that may be used by
organisations in the UK.
By 21st March 2024, any pre-2021 EU SCCs will have to be updated to either the IDTA or the
2021 EU SCCs with the UK Addendum to comply with UK law.
