Human resources at a click
Login
0

21 March 2024 Deadline: Are your international data transfer agreements compliant?

  • HR Article
  • Data Protection
orange internet cable|orange internet cable

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

Some countries have an ‘adequacy decision’ which means they have been judged as having adequate protections in place and so you can transfer personal data to these countries without needing any further specific approval.  A normal, commercial data sharing agreement will be enough in those circumstances.

However, in the absence of an adequacy decision, adequate safeguards will need to be put in place before you can transfer data (unless you are able to rely on one of the limited exemptions in the UK GDPR and Data Protection Act 2018).

One of the most common safeguards used are standard contractual clauses.

Standard Contractual Terms

Prior to 2021, the EU had its own set of standard contractual clauses for data transfers which companies in the UK often used (‘Old EU Clauses’).   It updated these in 2021 (‘New EU Clauses’).

The ICO has since developed two sets of standard contractual clauses for the UK.  Which one is appropriate to use depends on whether data is being transferred from the UK only or the UK and EEA.

UK Only – International Data Transfer Agreement

The ICO’s International Data Transfer Agreement (‘IDTA’) is most appropriate for data transfer agreements concluded after 21 March 2022 where data is being transferred from the UK only to another country.

For older agreements based on the Old EU Clauses, there were some transitional provisions allowing organisations time to move onto the new IDTA model, but these expire on 21 March 2024 and, as such, all organisations need to ensure that they are on the new IDTA model from 21 March 2024.

The ICO has since developed two sets of standard contractual clauses for the UK.

UK and EEA – New EU Clauses and Addendum

Organisations who transfer data from the UK and EEA to other countries will usually need to use the second set of standard contractual clauses produced by the ICO known as the International Data Transfer Agreement Addendum (‘Addendum’).  This Addendum is used alongside the New EU Clauses.

Companies should have already moved onto the New EU Clauses and Addendum model as all transitional provisions expired in 2022.

Steps you should take now!

Companies need to review their data transfer practices and agreements to understand what international transfers occur and the agreements that govern these.  They need to understand if data is being transferred from the UK only, or from the UK and EEA, and whether any of their agreements are based on the Old EU Clauses. They should also check if any of their agreements are based solely on the New EU Clauses, without the Addendum.

Any which are now out of date will need to be transferred onto the new models to ensure they remain valid and legally compliant.  If not, the organisation runs the risk of not having adequate safeguards in place for the data transfer in breach of the legislation.  Alternatively, organisations will need to consider if an alternative safeguard should be used, such as binding corporate rules or whether it is able to rely on any of the exemptions in the legislation.

Companies should also carry out transfer risk assessments before relying on the standard contractual clauses (or other safeguards) and so this will also need to be considered as part of the updating.

Our data privacy lawyers are on hand to advise you through this process and to help draft up new agreements as needed.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.

Louise_Keenan
Louise Keenan
Associate

FAQs

A redundancy situation arises when an employee is dismissed in one of three circumstances:

  • Where the employer ceases, or intends to cease, to carry out the business for the purposes of which the employee was employed (a business closure);
  • Where the employer ceases, or intends to cease, to carry on that business in the place where the employee was employed (a workplace closure); or
  • Where the requirement for employees to carry out work of a particular kind (or work of a particular kind in the place where they were employed) has ceased or diminished

If an employee suspects that this is not a genuine redundancy, they could let the employer know that they will be claiming unfair dismissal if the settlement payment is not increased. If the redundancy is genuine, however, the employee could simply ask the employer to be more generous.

Some employees prefer to negotiate themselves, by trying to convince the employer to budge on certain aspects of the agreement, for example, increasing an ex-gratia payment.

The employee can alternatively negotiate through their solicitor, particularly where there are complex legal arguments to put forward. Obtaining independent legal advice is a requirement of a settlement agreement because the employee will be waiving their rights to bring or continue any claims against their employer. A solicitor would be advising the employee on the strengths of a potential case they may bring and explain on that basis which terms in the agreement are more easily negotiable. The solicitor would also advise on which terms are standard and may be difficult to convince the employer to change.

Yes, it is important to count the number of employees affected by a redundancy situation as there are collective consultation rules and obligations that will apply if the employer is proposing to dismiss 20 or more employees at one establishment within a period of 90 days or less.

Related Articles

View all
CCTV cameras on a grey wall
  • Data Protection

Can an employer monitor employees at work?

Can an employer lawfully monitor their employee, without their knowledge, if they suspect wrongdoing? Can employers monitor employees? It’s worth...

Recent data breaches and their impact on organisations
  • Data Protection

Recent data breaches and their impact on organisations

Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially,...

laptop with hands holding a mobile phone
  • Data Protection

Cookies and Consent: the ICO’s Cookie Review

In the digital age, cookies play a crucial role in how websites operate and interact with users. Companies use cookies...

Related Resources

View all

Data Subject Access Request checklist

  • Checklists
  • Data Protection

Confidentiality statement

Confidentiality statement in regards to the monitoring policy. Confidentiality Statement – Monitoring Policy  I agree, save if required by law...

  • Letters
  • Data Protection

International transfers factsheet

International transfers factsheet provides and overview on data protection requirement for international transfers. Introduction The UK General Data Protection Regulation...

  • Factsheets
  • Data Protection

Not a member? Start your membership today!

Sign up
HR Services
Insights
Employmentbuddy
Contact us
Follow us
Find us
London

5th Floor, Chancery House, 
53-64 Chancery Lane, London
WC2A 1QS

Reading

5th Floor, Thames Tower,
Station Road, Reading
RG1 1LX

Find us
London

41-44 Great Queen Street,
London, WC2B 5AD

Reading

5th Floor, Thames Tower,
Station Road, Reading RG1 1LX

Follow us
Clarkslegal is a limited liability partnership registered in England and Wales. Registered number OC308349. Regulated by the Solicitors Regulation Authority (SRA no. 403601)
Human resources at a click
Login