Understanding the International Data Transfer Agreement (IDTA)

An International Data Transfer Agreement (IDTA) is an agreement put in place between two companies when transferring personal data outside the UK. It’s often included alongside a Data Processing Agreement.

The UK has relatively strong data protection standards. But personal data flows all over the world. The law requires you to protect personal data to UK standards—even when it ends up in a country with different laws and practices than the UK.

This article explains what an IDTA is, when you need one, when you don’t need one, and how to meet your legal obligations in this complex area of data protection.

What is the International Data Transfer Agreement (IDTA)?

An IDTA is a contract between an organisation “exporting” personal data from the UK and another organisation “importing” personal data in a country outside the UK.

This process is known as an “international data transfer”—or, sometimes, a “restricted transfer”. 

The IDTA contains mandatory data protection clauses that are binding on both parties. It’s the most common way to meet the legal requirements around international data transfers besides “adequacy regulations” (also known as an “adequacy decision”)..

We’ll explain any unfamiliar terms throughout the article.

The IDTA and the impact of Brexit

The UK’s version of the General Data Protection Regulation (GDPR), known as the “UK GDPR”, remains very similar to the EU version. 

The IDTA is the UK’s version of a similar mechanism in the EU known as “Standard Contractual Clauses” (SCCs).

After Brexit, the the Information Commissioner’s Office (ICO) devised the IDTA, which was then approved by Parliament. The ICO tried to make the IDTA more accessible than the EU’s SCCs, which were written by the European Commission.

Along with laws like the GDPR, the UK inhereted pre-Brexit EU case law. This includes a very important judgment by the Court of Justice of the European Union (CJEU) known as “Schrems II”. 

Because of the Schrems II case, UK organisations must conduct a “Transfer Risk Assessment” (TRA) before using the IDTA. 

Like the IDTA, the TRA is a little more business-friendly than the EU’s equivalent, the “Transfer Impact Assessment” (TIA). But it can still get pretty complicated.

When Should You Use the IDTA?

When conducting an “international data transfer”, one of the following must apply:

• The transfer is covered by “adequacy regulations” (known as an “adequacy decision” in the EU)
• You’ve implemented an IDTA or one of the other “transfer tools” from Article 46 of the UK GDPR
• A “derogation” (exception) applies

So what’s an international data transfer? Here are the two key components:

1. Your organisation is in the UK, and so are the data subjects (the people who the data is about). The UK GDPR applies when your organisation is processing this personal data.
2. You send the data—or make the data accessible—to a separate organisation outside the UK. The UK GDPR does not apply to this other organisation.

In this scenario, your organisation (based in the UK) is the “exporter”, and the other organisation (based outside the UK) is the “importer”. 

International Data Transfer or Not?

Here’s an example of an international data transfer that can be covered by an IDTA:

• NewsBook, a UK media publisher, wants to use analytics software to see how people use its app.
• NewsBook decides to engage DataBraz, an analytics provider based in Brazil.
• NewsBook will send DataBraz data about its users for analysis in Brazil.

In this scenario, we have an exporter, NewsBook (covered by the UK GDPR), and an importer, DataBraz (not covered by the UK GDPR).

The following example is not an international data transfer:

• NewsBook’s CEO goes on a business trip to Brazil.
• She accesses personal data about NewsBook employees and customers while in Brazil.

Although the personal data is being accessed in Brazil, there’s only one party here—NewsBook.

An international data transfer requires two legally distinct entities: An UK-based exporter and a non-UK importer, with the importer making personal data available to the exporter.

Adequacy Regulations and Other Transfer Tools

You don’t need an IDTA—or any other transfer tool—if you’re transferring personal data to a country covered by “adequacy regulations”. You can just go ahead and make the transfer.

Adequacy regulations are adopted when the UK Secretary of State has assessed a country’s data protection standards and determined that they are essentially equivalent to the UK’s. 

The UK inherited almost all of its adequacy regulations from the EU (which calls them “adequacy decisions”). The EU also adopted an adequacy decision in respect of the UK, so EU businesses can transfer personal data to the UK without any extra safeguards.

Countries covered by adequacy regulations include all European Economic Area (EEA) member states, South Korea, and Israel. There’s a full list of countries covered by UK adequacy regulations here.

Some adequacy regulations are more complicated, like those covering Canada, Japan, and the United States, where they only cover businesses certified under the UK Extension to the EU-US Data Privacy Framework (DPF) (you can search for businesses here).

Besides the IDTA and adequacy regulations, there are other “transfer tools” available, like Binding Corporate Rules (BCRs) used to transfer data between entities within a corporate group. However, the IDTA is the most appropriate option in most circumstances.

Derogations (‘Exceptions’)

Article 49 of the UK GDPR provides a list of derogations, also known as “exceptions”—circumstances in which you can conduct an international data transfer even without adequacy regulations or a transfer tool.

We won’t go into detail about the derogations in this article, but some of the most important derogations include:

• Explicit consent: Each data subject freely consents to the transfer after you have explained the risks involved.
• Contractual necessity: You need to carry out the transfer to perform obligations under a contract with the data subject, or enter into a contract with the data subject
• Vital interests: You urgently need to transfer personal data outside the UK to prevent a risk to someone’s life or health, for example if they cannot consent to the transfer.

The derogations are not suitable for long-term arrangements and are usually a last resort where no other transfer mechanism is feasible.

Step-by-Step Guide to Implementing the IDTA

Before we look at the structure of the IDTA, here’s an overview of the steps you should take before using it.

Mapping Your Data Flows

International data transfers are extremely common. If you’re using software or services provided by companies based outside the UK, you could be transferring personal data many times every day. These transfers must be covered by an IDTA.

Consider mapping your company’s data flows to ensure you have any necessary IDTAs in place with companies such as:

• Software providers
• Suppliers
• Contractors

Larger vendors will often incorporate IDTAs into service agreements—but your organisation is legally responsible for protecting the data it controls. Take the time to review any IDTAs already in place and ensure all international data transfers are covered.

Transfer Risk Assessment (TRA)

An IDTA isn’t a “silver bullet” that protects personal data in all circumstances. You must do a TRA before using the IDTA to ensure it is actually suitable for making the transfer.

The requirement to carry out a TRA comes from 2020’s “Schrems II” judgment, mentioned above. In that case, the EU court found that US intelligence agencies could still access data transferred using SCCs, the EU’s equivalent to the IDTA.

A TRA involves: 

• Identifying all the circumstances of the transfer, including what types of data it involves, what types of people the data is about, and the purposes for which the importer may use the data. 
• Assessing the risks of the transfer and whether the IDTA can effectively protect people’s rights once their data leaves the UK. 
• Identifying any technical or organisational measures you can put in place to keep the data safe.

The ICO provides a TRA Tool to help you carry out the TRA and decide whether the transfer can proceed. 

It’s a complicated process, so consider taking legal advice—particularly if you intend to transfer sensitive data, or if the importer is in a country with an authoritarian government.

The ICO is more risk-tolerant than EU regulators, so some transfers may proceed even if there’s a risk of personal data being accessed without authorisation. 

But a TRA might reveal that the IDTA is not a suitable transfer mechanism—in which case, you’ll need to consider other options or not transfer the data at all.

IDTA or IDTA Addendum?

There are two types of IDTA, and you should choose the one that is most appropriate for your circumstances:

• The “regular” IDTA, which incorporates contractual clauses (the mandatory data protection clauses mentioned above) written by the ICO, or
• The IDTA Addendum, which incorporates the EU’s SCCs, with some text amending the SCCs to reflect the fact that the transfer is taking place under UK law. The IDTA Addendum has been designed to “bolt-on” the EU Standard Contractual Clauses, to make it easier for companies in certain situations.

Both options are equally valid in the UK. 

The IDTA Addendum might be more suitable if: 

• The transfer includes personal data about people in the EU, or 
• You’re updating older transfer arrangements covered by the EU SCCs.

Again, international data transfers are a complicated area of data protection law, so consider taking legal advice if you’re unsure how to proceed.

We’ll focus on the “regular” IDTA for the remainder of the article.

Key Components of the International Data Transfer Agreement

Now we’re going to look at the structure of the IDTA—what information you need to provide when using it to transfer personal data out of the UK.

Part 1: Tables

The first part of the IDTA is a series of tables where you can provide details of the transfer and the organisations carrying it out.

Having conducted a TRA, you’ll already have a lot of the information you need to provide when filling out the tables.

We won’t go into detail about every table in the IDTA, but here’s a look at some of the more noteworthy sections.

Table 1 is simple enough—provide details of the organisations undertaking the transfer and sign the IDTA.

Table 2 requires you to provide details of the transfer, including:

• The status of the exporter (you) and importer (the organisation receiving the data): Who’s a controller and who’s a processor? You can use the IDTA to transfer data to a controller or a processor.
• Linked Agreements: You can incorporate other agreements into the IDTA, and they’ll form part of the contract covering the transfer. For example, if you have a Data Processing Agreement (DPA) or Service Level Agreement (SLA) with the importer, you can reference it here.
• Termination and further transfers: You can choose whether to allow either party to end the IDTA early and whether the exporter can transfer the personal data to other organisations. This will depend on the conditions and level of risk your organisations are willing to accept—you might have to negotiate with the importer.
• Review dates: If the transfer is an ongoing arrangement, you’ll need to agree on how often to review the security measures (we’ll look at security below). The ICO recommends reviewing the agreement at least annually—or more often if the data is sensitive.

Table 3 asks for details of the type of data you’re transferring, including any “special categories of personal data”, the data subjects (whether they are employees, customers, shareholders, etc.), and the purposes for which the importer may use the data.

Table 4 covers security requirements, which you and the importer must agree depending on the nature of the data and the transfer. Security requirements may include measures such as:

• Encryption
• Access controls
• Firewalls
• Security software
• Staff training

You will have determined the appropriate level of security when conducting your TRA.

Part 2: Extra Protection Clauses

During your TRA, you should have determined whether your transfer requires “extra protections” in addition to the security requirements listed in Table 4.

You might not need to will out this part of the IDTA. The ICO has not fully explained why extra protections are necessary, given that you can usually include all necessary security measures in Table 4. 

However, you likely will require extra protections if the importer is carrying out “automated decision-making” covered by Article 22 of the UK GDPR.

Explaining automated decision-making rules in the context of international data transfers goes beyond the scope of this article. As always, consider taking legal advice if you’re unsure of how to proceed.

Part 3: Commercial Clauses

Commercial clauses are optional. You may wish to incorporate commercial agreements into your IDTA—but these cannot reduce the level of protection required under the “mandatory clauses”, which we’ll look at next.

Part 4: Mandatory Clauses

The “mandatory clauses” are untouchable—both parties should read them to ensure they understand their obligations under the IDTA, but neither can change them.

The mandatory clauses require the importer to protect the transferred data to UK GDPR standards. For example, if you’re a controller and the importer is a processor, the importer must help you facilitate people’s data subject rights requests.

Technically, you could remove any mandatory clauses not relevant to the transfer. For example, some mandatory clauses are only relevant for transfers from a controller to a processor, while others only cover transfers from a processor to another processor.

But there’s no real need to remove any mandatory clauses, so the safest option is to leave them alone.

Transitioning from Old SCCs to the IDTA

Some UK organisations still have contracts that were agreed when the UK was still subject to EU law. Brexit has made things even more complicated for international data transfers, so let’s briefly look at how this area of data protection has changed over the past few years.

In June 2021—after the UK formally left the EU—the European Commission adopted new SCCs (the EU’s equivalent of the IDTA). The deadlines for moving over to the new SCCs have now expired.

Until recently, some UK organisations were still conducting personal data under the EU’s old SCCs, usually via the IDTA Addendum (which we explain above).

Since March 2024, all international data transfers covered by UK law must be covered by either:

• The IDTA, or
• The IDTA Addendum incorporating the new EU SCCs.

This deadline affects both new data transfers, and old transfer arrangements that have been ongoing since before the new SCCs came into effect.

If you’re covered by the UK GDPR and you still have older data transfers ongoing—whether under the old SCCs or the new ones—you should contact the importing party and ask them to sign the IDTA or IDTA Addendum.

Frequently Asked Questions about the IDTA

What are the penalties for not using the IDTA?

Conducting an international data transfer without an IDTA or any other transfer mechanism is subject to the highest tier of fines under the UK GDPR—up to £17.5 million or 4% of worldwide annual turnover.

The UK’s ICO has not yet brought an enforcement case concerning international data transfers. 

But violating the international data transfer rules was behind the biggest GDPR fine of all time—€1.2 billion (around £1 billion), issued against Meta by the Irish regulator in May 2023.

Can existing contracts using old SCCs be extended?

No, the deadline for existing transfers under the “old SCCs” expired in March 2024. UK exporters must implement an IDTA or IDTA Addendum (incorporating the new SCCs).

What supplementary measures might be required?

Examples of “supplementary measures” (or “extra protections”, as the ICO calls them) include:

• Access controls
• Encryption
• Antivirus or other security software
• Data protection and security training for employees
• Contractual commitments to maintain certifications or professional body memberships

The ICO’s TRA Tool can help you decide which supplementary measures are appropriate in the context of the transfer.

How often should transfer risk assessments be updated?

You should update your TRA whenever the circumstances of your transfer change in a way that affects the risks involved in your international data transfer.

For example:

• You change the types of personal data you’re transferring
• You start transferring personal data about different types of people
• The importing country’s government changes, and you are concerned that the new government might have less regard for human rights

As for the IDTA itself, the ICO recommends reviewing this at least annually, or more often in the case of riskier transfers.

Are there any exemptions to using the IDTA?

Yes. The UK GDPR provides eight “derogations” (exceptions) for specific situations where the usual rules on international data transfers do not apply. We explore these derogations above. 

Derogations aside, the IDTA is just one of several options for transferring personal data outside the UK. However, the IDTA is the most common international data transfer tool when a transfer is covered by adequacy regulations.

Best Practices for Using the IDTA Effectively

• Ensure staff receive regular data protection training and know when to recognise and international data transfer.
• Map your data flows and review existing contracts to ensure all international data transfers are covered by an IDTA (if necessary).
• Leverage technology to streamline the creation, management, and regular review of IDTAs.
• Always conduct a TRA before putting an IDTA in place.
• Publish meaningful information about your international data transfers in your organisation’s Privacy Notices.

Ensuring Data Protection with the IDTA

The UK has strong data protection and privacy laws that provide substantial rights and protections. The IDTA helps ensure that people still enjoy those rights and protections even when their personal data leaves the UK.

International data transfers are a complex area of data protection law, and the risks can be significant.

Putting systems in place to help you recognise international data transfers, conduct TRAs, and implement IDTAs can help improve efficiency and avoid the reputational and financial risks of data protection violations.

Additional Resources for IDTA and GDPR Compliance

• This page of the ICO’s website provides links to the following documents:some text
  • The IDTA
  • The IDTA Addendum
  • The TRA Tool (at the bottom of the page)
• The European Commission’s Standard Contractual Clauses (SCCs)
• European Data Protection Board (EDPB) Recommendations 01/2020, which sets out the six-step Transfer Impact Assessment (TIA) process.
• Privasee’s free GDPR audit, which can help you understand and improve your organisation’s compliance position