The UK’s data protection regulator, the ICO, has issued long awaited additional guidance on the international transfers of personal data to organisations based outside the UK.
Much of what has been updated is not new. The ICO has said that the additional guidance breaks down pre-existing guidance in a format that is easier to understand, with new examples and tests to help businesses comply with complex rules.
However, the additional guidance goes into new detail around the most common mechanism to comply with the UK GDPR used by businesses – the ‘Standard Contractual Clauses’ (SCCs). That detail provides a few, but welcome, answers to common questions asked by lawyers, while leaving other points unanswered.
In this blog we will provide a recap of the rules around international transfers and the SCCs and provide an overview of the notable updates to the ICO’s Guidance on International Transfers of Personal Data.
Recap
As we have covered elsewhere (e.g. here and here), under the UK GDPR it is unlawful for a data controller or a data processor to export personal data from the UK to an organisation based in another jurisdiction (a ‘restricted transfer’), unless a specific legal condition is satisfied. Essentially the same rules apply under the EU GDPR.
There are three conditions:
- The jurisdiction has been deemed ‘adequate’ by the UK Government as providing substantially similar protections to data subjects in respect of their personal data as is available under the UK GDPR. These include jurisdictions such as the member states of the European Economic Area, Switzerland or the United States (where the importing organisation is enrolled in the United States’ Data Privacy Framework).
- The exporter of personal data puts in place ‘appropriate safeguards’ to protect the personal data being transferred. The SCCs are an example of an appropriate safeguard.
- A specific exemption applies, such a transfer made with the consent of the data subject.
In a globalised world, businesses are having to make frequent transfers of personal data to another jurisdiction and will have to constantly be aware of their compliance with these rules.
In practice, most businesses will want to focus on:
1. When does a transfer of personal data abroad actually take place for the purposes of the UK GDPR? In other words, when does an organisation actually make a restricted transfer?
2. Who is responsible for complying with the UK GDPR when the transfer occurs?
3. Is the transfer to an ‘adequate’ jurisdiction under the UK GDPR?
4. If the transfer isn’t to an adequate jurisdiction – are SCCs in place to satisfy the UK GDPR’s requirements?
As such the ICO has focused its updated guidance on these areas. We highlight the most useful updates below.
International transfers – a three step test
The ICO has expanded upon its ‘three-step test’ for businesses to use to determine if they are making a restricted transfer, as follows:
Step 1: Does the UK GDPR apply to our processing of the personal information we’re transferring? Remember, you’re considered to be processing personal information even when your processor is doing the processing on your behalf.
Step 2: Are we initiating the transfer of personal information to an organisation which is located outside the UK?
Step 3: Is the organisation we’re transferring the personal information to a separate legal entity from our own?
Step 1 guidance
The ICO reiterates the usual test as to whether the UK GDPR applies if the organisation: (a) is established in the UK; (b) is offering goods or services to data subjects in the UK; or (c) is monitoring the behaviour of data subjects in the UK.
That said, the ICO has highlighted an additional category, where ‘another part of your corporate group outside of the UK is processing the information, and that processing is inextricably linked to your UK establishment.’
This reflects Article 3 of the UK GDPR, but was previously omitted from the ICO’s previous guidance (and its guidance elsewhere). This is an important reminder that foreign entities within the same corporate group as UK-established entities can be caught by the UK GDPR inadvertently.
Step 2 guidance
In its updated guidance, the ICO has placed an emphasis on what a ‘transfer’ actually means. In its previous guidance, only passing mention was given to the fact that merely making personal data accessible to an entity outside of the UK was a restricted transfer. In its revised guidance, this point is placed front and centre. The ICO has given a new example:
A UK business enters into an IT support contract with an Indian company. The information remains on the UK business’ servers in the UK. The IT support team located in India may access the information via a VPN when maintenance is required.
A restricted transfer takes place when the Indian company accesses the information on the UK servers.
However, the UK business ensures a transfer mechanism is in place (e.g. appropriate safeguards) at the point when it makes the information accessible and before any restricted transfer takes place.
Such emphasis is likely in response to a common misconception – that the personal data must be “sent” to a third party for the restricted transfer rules to apply.
Further, the ICO has clarified how business can assess whether it ‘initiated the transfer’ for the purposes of the UK GDPR.
In the ICO’s view: [i]nitiating a transfer is making the initial decision that causes the transfer to happen. This is different from authorising it…’ Its suggested (and new) “rule of thumb” is ‘you’re not initiating the transfer if you didn’t design the transfer structure or architecture, nor initially chose the receiver.’ This means that businesses ‘should follow the contractual relationships’ to determine what entity may be initiating the transfer.
Such guidance is a welcome clarification of the rules, which should hopefully provide businesses and their staff with added confidence that they are getting international transfers right.
Step 3 guidance
The guidance has placed renewed emphasis on intra-company and intra-group transfers.
Another very common misconception is that transfers between companies within the same group are not restricted transfers when a group company is based outside the UK. The UK GDPR treats all legal entites separately without any distinction for companies with a common parent entity.
In the previous guidance the ICO only dedicated a sentence and a single example to cover this important point. The updated guidance has many more examples. For example:
A UK company uses the IT support services offered by its US parent company rather than employing its own local IT experts. The UK company enables the IT team at the US parent company to remotely access its devices via a VPN to provide IT support.
This is a restricted transfer. The three-step test is met:
Step one: The UK GDPR applies to the UK company’s processing.
Step two: The UK company makes personal information accessible to its US parent company (the UK company initiates this transfer by enabling access).
Step three: The US parent company is another company within the same corporate group, so it’s a separate legal entity.
The UK company is responsible for complying with the transfer rules because it initiates the transfer to its US parent company.
How do we make a restricted transfer?
As touched on above, once you’ve determined that you are making a restricted transfer under the UK GDPR, the next step is to identify a lawful mechanism for that transfer. The ICO’s guidance reiterates that there are only three ways to lawfully make a restricted transfer:
- The destination country benefits from a UK adequacy regulation;
- You implement an appropriate safeguard; or
- A specific exception (or ‘derogation’) applies, such as where the data subject has explicitly consented.
The most common appropriate safeguard is the use of SCCs.
The ICO has provided additional guidance around the use of SCCs, which is very welcome.
Revised SCC guidance
Under the UK GDPR, the SCCs come in two forms:
- the International Data Transfer Agreement (IDTA)
- the UK Addendum to the EU SCCs (UK Addendum)
As the name suggests, the UK Addendum can be used alongside the EU SCCs that may already be in place, or they can be used in parralel. However, there is nothing stopping a business from just using the IDTA and the equivalent EU SCCs. There are pros and cons of either option.
The ICO has introduced additional guidance around how the UK SCCs can be flexibly used by businesses. We highlight the key areas of interest below.
IDTA
It was previously known that the IDTA could be incorporated by reference into a wider commercial contract. There was not necessarily a need to complete the form of the IDTA as published by the ICO.
This provides businesses with flexibility, but previously it was not clear how much information was required to be expressly set out in a commercial contract to make sure that the IDTA was completed properly.
The ICO has now addressed this point in its revised guidance.
In order to complete the IDTA properly, the “Parts” in the ICO needed to be addressed.
The ICO’s new guidance states that Part 1 is mandatory. The “Tables” contained in Part 1 are quite detailed and require a lot of additional information that may already be obvious as part of the contract. Re-completing Part 1 Tables is a heavy administrative burden and slowed commercial arrangements down.
Helpfully, the ICO has clarified that Part 1 can be deemed to have been properly completed if ‘you fill in Tables 1, 2 and 3, or the commercial contract provides the information they require.’ This significantly reduces the amount of potential duplication in a commercial contract. It also assists businesses who may by mistake not fully complete each Table – provided that the contract provides the necessary information the IDTA will remain effective.
The ICO’s approach here likely follows what became market practice after the IDTA was formally approved in 2022.
UK Addendum
Interestingly, the ICO has not adopted the same flexible approach with the UK Addendum. The ICO’s new guidance states that the Tables in Part 1 of the UK Addendum must be completed, but there is no discretion to not complete the tables themselves and instead rely on what the wider contract may state.
This may raise questions about the effectiveness of any UK Addendum that is incorporated into a wider commercial agreement rather than being independently completed by using the ICO’s published version.
Updates
Notably, the ICO has confirmed that it plans to update both the IDTA and the UK Addendum in 2026.
Businesses should consider now what the effect of any updates may be. SCCs are a common feature of many commercial contracts with a data protection element. Changes to the UK SCCs, even if we do not know now what those will be, can have an impact on the continuity of any commercial agreement that relies on UK SCCs. Key contracts should be looked at now to ensure that any amendments to the UK SCCs will not pose an issue to the provision of key services.
What’s next?
The ICO has signalled that this is not the end of its work on international transfers. It plans to release further support materials, including updated clause-by-clause guidance on the IDTA and Addendum, more practical examples and an interactive tool to help organisations determine whether a restricted transfer is taking place.
If you have any questions about international data transfers or need support reviewing your contracts, our data protection lawyers are here to help. Please contact us here or contact Neil Williamson or Colin Lambertus directly to discuss how the ICO’s updated guidance may affect your organisation.
