Search

How can we help?

Icon

Clarkslegal act for a multi-national company on an International Data Transfer Agreement

We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.

An International Data Transfer Agreement (IDTA) was prepared for the client using the Information Commissioner’s Office (ICO) standard form agreement, which came into force on 21 March 2022 (as well as a Data Transfer Addendum which can be used with the EC Standard Contractual Clauses). Any contract signed after 21 September 2022 is required to use the IDTA or the Addendum for a restricted transfer of personal data from the UK – i.e. one to a jurisdiction not covered by UK adequacy regulations and where none of the exceptions set out in the UK GDPR apply. 

The United States is not covered by the adequacy regulations and none of the exceptions were applicable, so an IDTA was required as this is a so-called Article 46 transfer mechanism providing ‘appropriate safeguards for the transfer where there is no adequacy finding or applicable exceptions.

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA). The reason for this is that, taking into account factors such as the nature of the personal data being transferred and the legal regime in the recipient jurisdiction, the IDTA on its own may not be sufficient to provide the required protections under the UK data protection regime for the data subjects whose personal data is being transferred. The TRA allows a structured and methodical analysis to be carried out on this sufficiency issue, and the outcome may be that additional protections are needed, be they organisational, technical and so on. 

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA).

In this case, we prepared a detailed TRA following guidance published by the ICO as to content and structure. This required us to examine the nature of the personal data being transferred, the contractual and other safeguards in place with the recipient in the United States and relevant aspects of the US legal regime, such as the ability of third parties (e.g. government bodies) to access personal data held by commercial organisations, and any applicable constraints and safeguards. Current US law and recent developments in this area were considered. For example, on 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for US Signals Intelligence Activities, which is aimed at addressing concerns raised by the European Court of Justice about the risk of US government surveillance to the privacy rights of Europeans (with the ultimate aim of allowing reinstatement of the EU-US Privacy Shield). Although the Order has a specific EU angle, it seems likely that its ambit will be extended to UK data subjects given the close alignment between EU and UK data protection laws, and so this was a relevant potential risk mitigant. 

The TRA must be thorough and forensic, and not a case of simply going through the motions. If an appropriate safeguard used by an organisation transferring restricted data to another jurisdiction is subsequently challenged, the TRA will be vital in demonstrating that correct processes were followed. 

In this case, we concluded on the basis of the TRA exercise, that the IDTA provided an appropriate safeguard for the restricted transfer. 

If you need any advice on an International Data Transfer Agreement, please do not hesitate to contact a member of our data protection team, who will be happy to assist. 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

About this article

Read, listen and watch our latest insights

art
  • Employment
  • 09 June 2025

Clarkslegal representing UK employers at the International Labour Conference

I am writing this from Geneva, where I once again have the honour of attending the International Labour Organisation’s International Labour Conference.

art
  • Immigration
  • 06 June 2025

MAC Report: Immigration Support for IT and Engineering Professionals

On 29 May 2025, the Migration Advisory Committee (MAC) published its much-anticipated review on the use of the UK immigration system by professionals in IT and engineering.

art
  • Corporate and M&A
  • 04 June 2025

Authorised Corporate Service Providers – what you need to know!

The Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) intends to enhance the transparency of corporate structures with an aim to reduce economic crime.

art
  • Privacy and Data Protection
  • 04 June 2025

Decrypting the ICO’s Draft Updated Guidance On Encryption

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur.

Pub
  • Corporate and M&A
  • 27 May 2025

Thinking of exiting your business? Part 3

In the third and final episode of our three-part podcast series, join Stuart Mullins and Nicky Goringe Larkin as they discuss the sectors that are currently popular for business exits, as well as those that may have difficulty attracting buyers.

art
  • Privacy and Data Protection
  • 27 May 2025

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.