International Data Transfer Agreement
This International Data Transfer Agreement (IDTA) is a template copy of the UK ICO’s IDTA template for transfers of personal data to third countries. It is also available for free from the ICO here as a PDF or Word document. It has been reproduced under the Open Government Licence 3.0 and is offered commercially by Simply-Docs for subscriber convenience alongside the range of Data Processing Agreements.
The processing of personal data in the UK by businesses by the Data Protection Act 2018 and the UK GDPR. The UK GDPR restricts the transfers of personal data to other countries and to international organisations.
If the transfer in question is a “restricted transfer”, the UK GDPR requires that certain safeguards are in place to protect the personal data being transferred (Note that “being transferred” with respect to personal data includes making it available).
Some restricted transfers are covered by “adequacy regulations”. If a country is covered by adequacy regulations, this essentially means that the data protection laws of the country in question have been assessed as “adequate” in terms of their protection for personal data and the rights and freedoms of individual data subjects. The UK has adequacy regulations in place for a number of countries including the EU and EEA and those countries covered by EU adequacy decisions as at 31 December 2020. More details are available from the ICO, here.
If there is no adequacy regulation in place, another mechanism must be used. It is important to note that before using any of these “appropriate safeguards”, a transfer impact assessment must be undertaken in order to determine whether or not you are satisfied that the affected data subjects (i.e., those individuals whose data is to be transferred) will continue to be protected to a level equivalent to the UK’s own data protection laws.
The appropriate safeguards available are as follows:
- A legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules (BCRs)
- Standard Contractual Clauses (SCCs)
- An approved code of conduct (approved by the ICO)
- Certification under an approved certification scheme (approved by the ICO)
- Contractual clauses authorised by the ICO
There are also various exceptions upon which you may be able to rely, however these are outside the scope of this page.
This document is an International Data Transfer Agreement – the ICO’s version of the Standard Contractual Clauses. The International Data Transfer Agreement is designed to be used in conjunction with a data processing or data sharing agreement which complies with the requirements of the UK GDPR.
The IDTA, along with an international data transfer addendum to the current EU Commission’s SCCs, were published by the ICO in March 2022 and are designed to replace the old EU SCCs which previously remained in effect in the UK after Brexit. Note that, as the ICO explains, “Exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.”
It is important to note that the IDTA is designed to be used with another agreement – e.g., a data processing agreement that complies with Article 28(3) of the UK GDPR – not instead of such a document. The Data Processing Agreement (UK to Non-EEA) from Simply-Docs, for example, includes a blank schedule into which a completed IDTA should be inserted to cover third country personal data transfers.
The ICO is currently preparing guidance on the use of the IDTA and it is expected to be published soon. This page will be updated with more information on the use of the IDTA as a transfer mechanism when official guidance becomes available. In the meantime, it is recommended that the IDTA is used only with the assistance of the ICO or other suitable professional advice.
The format of the IDTA differs somewhat from standard Simply-Docs templates. We have retained the ICO’s formatting in this document, and it important to note, therefore, that optional text and clauses are not marked in the usual way. The IDTA begins with a set of tables, prompting for key information and those tables include certain checkboxes which help users to tailor the agreement, its scope, and application. Unless expressly indicated in the text, provisions should not be changed or deleted.
Certain tables are largely blank, requiring the entry of your own information. Guidance on completing these sections will be added to this page once the ICO has issued its own guidance. In the meantime, as noted above, professional advice should be sought before using this template.
The remainder of the document contains a comprehensive set of clauses which operate to protect the personal data being transferred or “exported” in this context. Again, additional guidance will be provided on this page once the ICO has provided its own.
Please note that this document is a direct copy of the ICO’s IDTA, the majority of which must be used as-is. This document template therefore includes any drafting inconsistencies which may be present in the ICO’s version. Simply-Docs will regularly monitor the ICO’s IDTA for any changes and will update this template accordingly. This template reflects version A1.0 of the IDTA.
This International Data Transfer Agreement contains the following sections:
Part 1: Tables
Table 1: Parties and signatures
Table 2: Transfer Details
Table 3: Transferred Data
Table 4: Security Requirements
Part 2: Extra Protection Clauses
Part 3: Commercial Clauses
Part 4: Mandatory Clauses
1. This IDTA and Linked Agreements
2. Legal Meaning of Words
3. You have provided all the information required
4. How to sign the IDTA
5. Changing this IDTA
6. Understanding this IDTA
7. Which laws apply to this IDTA
8. The Appropriate Safeguards
9. Reviews to ensure the Appropriate Safeguards continue
10. The ICO
11. Exporter’s obligations
12. General Importer obligations
13. Importer’s obligations if it is subject to the UK Data Protection Laws
14. Importer’s obligations to comply with key data protection principles
15. What happens if there is an Importer Personal Data Breach
16. Transferring on the Transferred Data
17. Importer’s responsibility if it authorises others to perform its obligations
18. The right to a copy of the IDTA
19. The right to Information about the Importer and its Processing
20. How Relevant Data Subjects can exercise their data subject rights
21. How Relevant Data Subjects can exercise their data subject rights – if the Importer is the Exporter’s Processor or Sub-Processor
22. Rights of Relevant Data Subjects are subject to the exemptions in the UK Data Protection Laws
23. Access requests and direct access
24. Giving notice
25. General clauses
26. Breaches of this IDTA
27. Breaches of this IDTA by the Importer
28. Breaches of this IDTA by the Exporter
29. How to end this IDTA without there being a breach
30. How to end this IDTA if there is a breach
31. What must the Parties do when the IDTA ends?
32. Your liability
33. How Relevant Data Subjects and the ICO may bring legal claims
34. Courts legal claims can be brought in
36. Legal Glossary
Alternative Part 4 Mandatory Clauses
This International Data Transfer Agreement is unlocked and in .doc format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.