Best Practice Update

International Data Transfers (part 1):  Navigating Cross-Border Data Transfers: Understanding EU SCCs, UK Addendum, and UK IDTA

The first in a seriers on International Data Transfers..
Navigating Cross-Border Data Transfers: Understanding EU SCCs, UK Addendum, and UK IDTA

In the ever-evolving landscape of global data protection, we are continually challenged to ensure the secure and lawful transfer of personal data across borders. The European Union (EU) has long been a frontrunner in establishing data protection standards, and its regulations have far-reaching implications for those engaged in cross-border data transfers.

Whilst you may think that you do not transfer data overseas and therefore do not need to consider this, many of the suppliers used in schools do.

  • Two crucial mechanisms that play a pivotal role in this scenario are the EU Standard Contractual Clauses (SCCs), the UK Addendum and the UK International Data Transfer Agreement (IDTA). In this blog, we will delve into these mechanisms, aiming to demystify their significance and shed light on how they influence our data protection practices:
EU Standard Contractual Clauses (SCCs):

The EU SCCs have been a fundamental tool for ensuring the lawful transfer of personal data outside the European Economic Area (EEA). These standard contractual clauses, approved by the European Commission, set out a legal framework that binds both the data exporter and the data importer to uphold EU-level data protection standards and avoid the need for lengthy bespoke Data Processing Agreements.

The SCCs address key principles such as purpose limitation, data minimisation, and the rights of data subjects, providing a standardized approach to safeguarding personal data in transit.

UK Addendum:

As the United Kingdom formally exited the EU, it has charted its course in data protection. The UK Addendum is a crucial element in this regard, serving as an additional layer to the existing EU SCCs when transferring personal data from the UK to a third country. Organisations engaging in such transfers must ensure compliance with both the EU SCCs and the UK Addendum, navigating the intricacies of dual regulatory landscapes.

The UK Addendum aligns with the principles outlined in the EU SCCs, emphasising the need for data protection measures that meet the UK's high standards. Organisations need to incorporate the UK Addendum into their data transfer agreements to seamlessly adhere to both EU and UK data protection requirements.

UK International Data Transfer Agreement (IDTA):

To streamline international data transfers post-Brexit, the UK has now introduced the International Data Transfer Agreement (IDTA). This framework facilitates the exchange of personal data between organisations within the UK and counterparts outside the country. The IDTA incorporates principles akin to the EU SCCs, ensuring that data protection standards are maintained during cross-border transfers.

Organisations can leverage the UK IDTA as an alternative to the EU SCCs when transferring data from the UK to a third country. 

In the intricate world of cross-border data transfers, staying abreast of regulatory developments is paramount for organisations striving to maintain compliance and uphold data protection standards.

The EU SCCs, UK Addendum, and UK IDTA represent vital tools in this ongoing journey, offering a structured framework to navigate the complexities of international data transfers.

If you have any questions surrounding your existing contractual relationships with suppliers where international data transfers are required or are considering a new supplier based overseas, please get in touch. We would be happy to support you in conducting due diligence to ensure an appropriate legal framework is in place to facilitate a secure data transfer.

Robot wearing an orange hoodie holding a piece of paper with the words Data Protection education is transparent text

This week the IAPP published a set of AI privacy risks in the wake of concerns over how AI should be regulated.  There are moves to regulate AI, such as the EU AI Act, however  because AI remains quite an unknown quantity, there is a lot of unease and uncertainty around it's use, ethics, privacy and intellectual property.

hand holding a mobile phone with social media icons on it. Litus Digital logo and Data Protection Education logo. Guardians of Privacy: Navigating social media in educational settings in blue text.  A series of articles about social media, privacy and schools in black text.  Coloured pencils at the bottom

This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security considerations, the law and protecting children.  It is not possible to cover every aspect of social media, but the articles aim to provide guidance, raise privacy questions and provide some support for safe posting.

hand holding a mobile phone with social media icons on it. Litus Digital logo and Data Protection Education logo. Guardians of Privacy: Navigating social media in educational settings in blue text.  A series of articles about social media, privacy and schools in black text.  Coloured pencils at the bottom

This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security considerations, the law and protecting children.  It is not possible to cover every aspect of social media, but the articles aim to provide guidance, raise privacy questions and provide some support for safe posting.

  1. Guardians of Privacy: 14. Social Media and Cyber Bullying
  2. Guardians of Privacy: 13. Social Media, Copyright and Intellectual Property
  3. Guardians of Privacy: 12. Social Media and Going Viral
  4. Guardians of Privacy: 11. Staff Social Media Accounts
  5. Guardians of Privacy: 10. Social Media and Cookies
  6. Guardians of Privacy: 9. Social Media and Morality
  7. New Resources for Schools from the ICO
  8. Guardians of Privacy: 8. Social Media Policies
  9. Guardians of Privacy: 7. Social Media Data Retention
  10. Guardians of Privacy: 6. Posting Safely
  11. Guardians of Privacy: 5. Social Media and Consent
  12. Guardians of Privacy: 4. Social Media Access Control
  13. Guardians of Privacy: 3. Social Media Channels
  14. Guardians of Privacy: 2. Law and Regulations
  15. The ICO reprimands a Multi Academy Trust
  16. Guidance for the use of school email and applying email retention in schools
  17. Data Protection Tips for Early Years Settings
  18. Children's Privacy around the world is a puzzle
  19. Trust Initial Plan Checklist Update
  20. Records Management Best Practice Update
  21. What do I need to redact?
  22. Trust Initial Plan for Data Protection Compliance (for Multi Academy Trusts)
  23. Google for Education Resources: Helping IT Admins meet DfE digital and technology standards
  24. Lettings Best Practice and Guidance
  25. Considerations when migrating to a new MIS
  26. Public bodies and sensitive data
  27. Get a DPE Badge for your website!
  28. ICO: 10 Step guide to sharing information to safeguard children
  29. Help after a Cyber Attack/Incident
  30. Data Protection and Cyber Security (Inset Day) Training Ideas
  31. How KCSIE is linked to Cyber Strategy
  32. Handling Freedom of Information Requests the right way
  33. Where's Harry the Hacker?
  34. The ICO Reprimands a school
  35. Redaction Guidelines Updated
  36. Using WhatsApp in Schools
  37. How to contact us for support, subject access requests, data breaches and FOI's
  38. FOI: Reinforced Autoclaved Aerated Concrete
  39. FOI: Henry Jackson Society
  40. FOI: Vaccination Justifications
  41. How the Record of Processing Can Help You
  42. What does a Data Protection Officer Do?
  43. Carrying out Supplier Due Diligence
  44. How Long Should You Keep Personal Data For?
  45. B&H FoI: Racist/religious incidents/bullying
  46. Protocol for Setting Up and Delivery of Online Teaching and Learning
  47. Class Dojo International Data Sharing
  48. Model Publication Scheme: Amendments, Improvements and Updates
  49. Transparency
  50. Research projects and GDPR
  51. Secure file transfer of files using Royal Mail
  52. Emergency contacts and consent
  53. Key elements of a successful DPIA
  54. FOI Publication Schemes
  55. Best Practice for Managing Photos and Video
  56. New Drip Feeds: Recognise and Respond to Subject Access Request
  57. When to contact the Data Protection Officer?
  58. National child measurement programme
  59. Headteacher fined for breach of data protection legislation
  60. Acceptable Use Policy

Search