International Data Transfer Agreement

This International Data Transfer Agreement (IDTA) is a template copy of the UK ICO’s IDTA for transfers of personal data to third countries.

It is offered by Simply-Docs for convenience alongside its data processing agreement templates, but it is also available free of charge from the ICO here.

The IDTA is designed to be used with a UK GDPR-compliant data processing or data sharing agreement, not instead of one. For processor arrangements involving transfers outside the EEA, see Data Processing Agreement (UK to Non-EEA).

When the IDTA is needed

The UK GDPR restricts transfers of personal data to other countries and to international organisations. If a transfer is a restricted transfer, appropriate safeguards are required unless the destination is covered by adequacy regulations.

Adequacy regulations apply where the destination country or territory is recognised as providing adequate protection for personal data and the rights and freedoms of data subjects. Where adequacy does not apply, another transfer mechanism must be used.

Before relying on an appropriate safeguard, a transfer impact assessment should be carried out to determine whether affected data subjects will continue to be protected to a level equivalent to that provided under UK data protection law.

Appropriate safeguards and the role of the IDTA

The UK GDPR recognises a range of appropriate safeguards for restricted transfers, including:

• legally binding and enforceable instruments between public authorities or bodies;
• binding corporate rules;
• standard contractual clauses;
• approved codes of conduct;
• certification under an approved certification mechanism; and
• contractual clauses authorised by the ICO.

The IDTA is the ICO’s UK transfer tool and is the UK version of standard contractual clauses. The ICO also provides an International Data Transfer Addendum to the EU Commission’s current standard contractual clauses, and exporters may use either the IDTA or the Addendum to comply with Article 46 of the UK GDPR when making restricted transfers.

There are also exceptions that may apply in some cases, but those are outside the scope of this page.

How this template fits with other agreements

This document should be linked to another agreement governing the underlying relationship and processing arrangements. In particular, it is intended to sit alongside an agreement that already deals with the UK GDPR requirements for the processing itself.

For example, the Data Processing Agreement (UK to Non-EEA) includes a blank schedule into which a completed IDTA can be inserted for third-country transfers.

Format and structure of the document

This template is a direct copy of the ICO’s IDTA and substantially follows the ICO’s own format. Much of it is intended to be used as-is.

The document begins with tables that capture key information about the parties, the transfer, the transferred data, and security requirements. It also contains checkboxes that help tailor the agreement’s scope and application.

The remainder of the IDTA contains detailed operative clauses designed to protect the personal data being transferred. This template reflects version A1.0 of the IDTA.

The document includes:

• Part 1: Tables, including details of the parties, transfer details, transferred data, and security requirements;
• Part 2: Extra Protection Clauses;
• Part 3: Commercial Clauses; and
• Part 4: Mandatory Clauses, together with alternative Part 4 Mandatory Clauses.

Important legal point

❗ The IDTA should be used with care. It is intended to support compliance with the UK GDPR for restricted transfers, but professional advice is recommended before use.

This is particularly important because the IDTA is largely the ICO’s own text and may include drafting inconsistencies present in the official version.

International Data Transfer Agreement is part of Business . Just £38.50 + VAT provides unlimited downloads from Business for 1 year.