Skip to content
Business Personal Menu

In August last year, we published an article on how to ensure that personal data is protected when using overseas providers. In it, we explained that, where any transfer of personal data is to a country or organisation not covered by an adequacy decision, an “appropriate safeguard” must generally be put in place and that one of the mechanisms for doing so was being phased out. The date for that mechanism ceasing to be available is now very close and organisations should therefore ensure that they urgently make the necessary changes to continue to be compliant with data protection legislation.


What is changing?

From 21 March this year, businesses will no longer be able to rely on the contractual provisions known as Directive SCCs (or Standard Contractual Clauses) as the appropriate safeguard for sending data overseas. Instead, either an International Data Transfer Agreement (IDTA) or an Addendum to the EU Commission’s Standard Contractual Clauses needs to be used.


What needs to be done?

If you are relying on the Directive SCCs as an appropriate safeguard for the transfer of personal data to another country then, before 21 March, you will need to replace this with either an IDTA or an Addendum. In practice, the IDTA will usually be the most straightforward appropriate safeguard to use. This is a user-friendly, standard form agreement which can be used in conjunction with other agreements (such as a contract for services).


What do our lawyers say?

Jenny Wade, an associate in our commercial team, has helped clients put in place a number of IDTAs.

“Where businesses are relying on Directive SCCs, it will be necessary to update these arrangements urgently, in order to ensure continued compliance with the requirements of data protection legislation,” said Jenny.

“This is critical in order to avoid the risk of investigation by the Information Commissioner and possible sanctions and large fines.”

Hannah Nagel, a solicitor in our commercial team, advises on a range of data protection matters including data processing agreements and privacy notices.

“If you are using, for example, payment processing platforms and cloud service providers with servers based in a country not subject to an adequacy decision, you must ensure that a lawful transfer mechanism is in place to protect your customers’ personal data and comply with the legislation,” said Hannah.

The consequences of non-compliance can be significant as, not only can this result in reputational damage, but also the Information Commissioner’s Office (ICO) can award fines of up to a maximum of £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”


For advice on data protection matters, contact partner and head of commercial servicesAntony Hall on

Latest News