Search

How can we help?

Icon

Clarkslegal act for a multi-national company on an International Data Transfer Agreement

We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.

An International Data Transfer Agreement (IDTA) was prepared for the client using the Information Commissioner’s Office (ICO) standard form agreement, which came into force on 21 March 2022 (as well as a Data Transfer Addendum which can be used with the EC Standard Contractual Clauses). Any contract signed after 21 September 2022 is required to use the IDTA or the Addendum for a restricted transfer of personal data from the UK – i.e. one to a jurisdiction not covered by UK adequacy regulations and where none of the exceptions set out in the UK GDPR apply. 

The United States is not covered by the adequacy regulations and none of the exceptions were applicable, so an IDTA was required as this is a so-called Article 46 transfer mechanism providing ‘appropriate safeguards for the transfer where there is no adequacy finding or applicable exceptions.

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA). The reason for this is that, taking into account factors such as the nature of the personal data being transferred and the legal regime in the recipient jurisdiction, the IDTA on its own may not be sufficient to provide the required protections under the UK data protection regime for the data subjects whose personal data is being transferred. The TRA allows a structured and methodical analysis to be carried out on this sufficiency issue, and the outcome may be that additional protections are needed, be they organisational, technical and so on. 

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

The ICO make it abundantly clear that any person relying on an Article 46 transfer mechanism must carry out a transfer risk assessment (TRA).

In this case, we prepared a detailed TRA following guidance published by the ICO as to content and structure. This required us to examine the nature of the personal data being transferred, the contractual and other safeguards in place with the recipient in the United States and relevant aspects of the US legal regime, such as the ability of third parties (e.g. government bodies) to access personal data held by commercial organisations, and any applicable constraints and safeguards. Current US law and recent developments in this area were considered. For example, on 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for US Signals Intelligence Activities, which is aimed at addressing concerns raised by the European Court of Justice about the risk of US government surveillance to the privacy rights of Europeans (with the ultimate aim of allowing reinstatement of the EU-US Privacy Shield). Although the Order has a specific EU angle, it seems likely that its ambit will be extended to UK data subjects given the close alignment between EU and UK data protection laws, and so this was a relevant potential risk mitigant. 

The TRA must be thorough and forensic, and not a case of simply going through the motions. If an appropriate safeguard used by an organisation transferring restricted data to another jurisdiction is subsequently challenged, the TRA will be vital in demonstrating that correct processes were followed. 

In this case, we concluded on the basis of the TRA exercise, that the IDTA provided an appropriate safeguard for the restricted transfer. 

If you need any advice on an International Data Transfer Agreement, please do not hesitate to contact a member of our data protection team, who will be happy to assist. 

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jon Chapman

Senior Consultant

View profile

+44 118 960 4683

About this article

Read, listen and watch our latest insights

art
  • 26 June 2025
  • Employment

A shift in EHRC guidance on single sex spaces in the workplace

In a recent significant shift, the Equality and Human Rights Commission (“the EHRC”) has quietly amended its guidance on single sex spaces in the workplace.

art
  • 25 June 2025
  • Immigration

Immigration Changes in Statement HC 836 – what do they mean?

The UK government has released its latest Statement of Changes to the Immigration Rules (HC 836), with shocking implementation dates throughout July 2025.

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

art
  • 18 June 2025
  • Employment

Pride Month: How Can You Celebrate as an Employer

The UK held its first Pride Parade in 1972, inspired by events held in major American cities following the Stonewall rebellion in New York in June 1969.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.