How to use the International Data Transfer Agreement for data transfers outside the UK
On 21 March 2022, the international data transfer agreement (IDTA) issued by the Information Commissioner came into force. Entered into as a binding contract, the agreement provides appropriate safeguards for restricted transfers of personal data outside the UK. Alternatively, businesses can equally use the other newly adopted document, the International Data Transfer Addendum. If you are subject to the UK GDPR and are unsure about which instrument is best suited for your planned data transfers, you can read our previous blog post on the matter. In this post, we will be explaining how to complete the IDTA by going through its main parts step by step. The document itself is rather lengthy. It extends over 36 pages, divided into four parts. Each of the parts will be looked at into more detail.
Part 1: Tables
The IDTA’s first part is presented in tabular form. These tables are to be completed collaboratively by both parties to the agreement (the data exporter and the data importer). They are presented in a very user-friendly way as they simply require parties to fill in gaps or select and answer among different checkboxes within multiple choice questions. However, clause 5 of the IDTA also explicitly allows parties to erase the tabular form as long as they ensure that any changes made do not reduce the appropriate safeguards. Each table tackles different aspects of the underlying transfer:
Table 1: Parties and Signatures
The IDTA’s first table is dedicated to the ‘parties and signatures’. Here, parties should enter the contract’s start date (from when on the parties are bound to the IDTA), the parties’ details and key contacts. Moreover, they must sign off their intention to be legally bound to the agreement.
Table 2: Transfer details
The second table is to be completed with details concerning the transfer itself.
First, a choice must be made whether the law of England and Wales, Northern Ireland or Scotland should govern the agreement and which of these countries functions as primary place for legal claims to be made. Secondly, the parties must clarify their respective roles. Hence, they must indicate whether they act as importer of processor of the transferred data and whether the UK GDPR equally applies to the importer’s further processing of the transferred data. Importantly, parties must then select whether they wish to invoke a ‘linked agreement’. This term refers to previous agreements entered into by the parties containing instructions as to how to process the transferred data and/or additional obligations. These agreements have generally been concluded where either the importer or the exporter acts as the other party’s processor or sub-processor. Parties can then simply link such agreements to the IDTA by indicating the agreement’s name, date and parties. Next, parties must determine the term of the IDTA. Generally, the IDTA should remain valid for as long as the linked agreement remains in force. If there is no underlying linked agreement, the parties can instead determine a time period which they deem necessary for the purpose. The parties can further choose whether the IDTA can unilaterally be terminated by one of them in writing. Additionally, they can opt to prohibit any onward transfers of the transferred data by the importer or alternatively allow such transfers in accordance with the safeguards provided for in section 16.1. If they allow these, they may also impose further specific restrictions on such onwards transfers such as informing the exporter in writing beforehand. Lastly, the parties must determine the intervals in which the IDTA should be reviewed unless it concerns a one-off transfer.
Table 3: Transferred data
Table 3 asks about details of the transferred data itself. First, parties must choose whether they wish the categories of transferred data and the data subjects concerned to be updated automatically when these are updated in the linked agreement. Alternatively, they can be updated manually by agreeing on any such change in writing. Next, parties must determine whether any special categories of personal data or concerning criminal convictions and offences are involved. If so, they must specify which data. Lastly, the parties are required to indicate the purpose for which the importer may process the transferred data and whether the purposes update automatically when being updated in the linked agreement. Alternatively, the parties can choose to update these manually by agreeing in writing.
Table 4: Security requirements
In table 4, the parties should fill in any security requirements they have taken concerning the transmission of the data, its storage, and processing as well as any organizational security measures or technical minimum requirements. These concern the general security measures prescribed under the UK GDPR such as encrypting the data and delete it where retention is no longer necessary to fulfil the underlying processing purposes. Parties can equally decide whether the security measures update automatically when the linked agreement is updated.
Part 2: Extra Protection Clauses
The agreement’s second part tackles the additional data transfer criteria decided by the European Court of Justice in its famous Schrems II ruling. Just as with the European Standard Contractual Clauses, simply signing the IDA is insufficient to render the underlying data transfer valid. Instead, the EU Court requires the parties to assess whether the country of destination’s level of data protection is essentially equivalent to the standard of European data protection law by conducting a Transfer Risk Assessment (TRA). Under the UK IDTA, the responsibility to conduct such TRA lies with the data exporter. The data importer is however further obliged to provide the exporter ‘with all relevant information regarding local laws and practices and the protections and risks which apply to the transferred data when it is processed by the importer’ which may reasonably be required for any TRA (clause 8.3.1 IDTA). For more information as to how to conduct a TRA, you can read our blog entry on the EU’s Transfer Impact Assessment. This has been written for the EU GDPR but the TRA under the UK GDPR essentially gives rise to the same obligations. The ICO has further also adopted its own guidelines on the TRA. Should the TRA indicate that the level of data protection in the country of destination is equivalent to the UK GDPR standards, correctly completing and signing the IDTA suffices to allow the transfer to take place. Conversely, where the TRA indicates that the country of destination’s level of data protection is insufficient, effective supplementary measures must be adopted. These should then be included in part 2 of the IDTA as ‘extra protection clauses’.
Part 3: Commercial Clauses
Part 3 allows for the optional inclusion of commercial clauses. This possibility is especially useful when the parties have not previously entered into a linked agreement.
Part 4: Mandatory Clauses
The IDTA’s fourth part contains its mandatory clauses. These impose a range of obligations on the parties which ultimately allow for the provision of appropriate safeguards. The mandatory clauses cannot be changed or deleted by the parties. They concern different topics: The first set of mandatory clauses contains explanatory information to the IDTA. They explain its structure, definitions and how to sign or change the agreement. The second part specifies how the IDTA provides appropriate safeguards for the transfer. Businesses wishing to enter into the IDTA are advised to carefully read through the relevant obligations listed therein. The most important include: Each party must ensure that the security requirements and extra protection clauses provide a level of security which is appropriate to the risk of a personal data breach occurring and the impact on the relevant data subjects of such breach (clause 8.5). The exporter must further be able to ensure and demonstrate that these requirements and clauses provide appropriate safeguards. The importer on the other hand is obliged to inform the exporter of any relevant changes in local laws and practices, take reasonable steps to verify where there are any such laws or practices and cooperate with the exporter to ensure compliance.
Parties further agree to pause the transfer and processing of transferred data without undue delay when the IDTA no longer provides appropriate safeguards. They can only resume the transfer when the extra protection clauses have been undergoing the necessary adaptions. Parties are also obliged to cooperate with the ICO to the extent necessary. The exporter’s most important obligations include compliance with the IDTA and the linked agreement. Moreover, when the importer is also subject to UK Data Protection laws, he must comply therewith. Otherwise, he ensures compliance with key data protection principles instead.
The mandatory clauses further include requirements as to required action in case of a personal data breach, under which conditions the transferred data can be transferred on by the importer, the importer’s responsibilities if he authorises others to perform his obligations and the relevant rights of data subjects. Lastly, the mandatory clauses regulate access requests by public authorities, breaches of the IDTA and its termination.
Businesses wishing to transfer personal data based on the UK IDTA are hence best advised to go through its different parts step by step. While the document at first appears lengthy, its clearly arranged structure and plain language renders it user-friendly. As soon as the importer and exporter have agreed on the specifics of the transfer and the exporter has conducted an adequate TRA, filling in the IDTA should not become a burdensome task. Further guidance to the IDTA from the ICO can also soon be expected.