Transcription of Draft International data transfer agreement
1 Draft International data transfer agreement August 2021 ICO consultation Draft International data transfer agreement 2 Overview Chapter 1: Introduction to the IDTA Chapter 2: Completing the IDTA Chapter 3: Template IDTA Chapter 4: Frequently Asked Questions Chapter 5: Guidance Templates Draft International data transfer agreement 3 Contents Chapter 1: Introduction to the International data transfer agreement (IDTA) .. 4 What is the IDTA? .. 4 What is a Restricted transfer ? .. 4 What is a transfer Risk Assessment? .. 5 How does the IDTA work? .. 5 How does the IDTA link to the other agreements I have with the Importer? .. 5 Chapter 2: Completing the IDTA .. 7 Which data transfers can be used with the IDTA? .. 7 What do I need to do to put the IDTA into place? .. 8 Can I change the format of the IDTA? .. 10 Can more than two parties enter into the IDTA?
2 10 Chapter 3: Template IDTA .. 12 Part one: Tables .. 12 Part two: Extra Protection Clauses ..20 Part three: Commercial Clauses .. 21 Part four: Mandatory Clauses .. 22 Chapter 4: Frequently Asked Questions .. 56 How do I complete Table 1: Parties and Signature? .. 56 How do I complete Table 2: transfer Details? .. 57 How do I complete Table 3: Transferred Data? .. 60 How do we complete Table 4: Security Requirements? .. 62 How do we complete Part two: Extra Protection Clauses? .. 63 How do we complete Part three: Commercial Clauses? .. 64 Understanding the Mandatory Clauses .. 64 Chapter 5: Guidance Templates .. 66 Draft International data transfer agreement | Chapter 1: Introduction to IDTA 4 Chapter 1: Introduction to the International data transfer agreement (IDTA) This chapter contains guidance on what the IDTA is and how you can use it to make restricted transfers.
3 We explain some of the technical data protection terms we use in a Legal Glossary at the end of the third chapter. What is the IDTA? The IDTA is a contract for you to use when making a restricted transfer of personal data to a country outside the UK. We refer to this as the Transferred Data. The Information Commissioner decided that, the IDTA contains appropriate safeguards for the Transferred Data, including effective and enforceable data subject rights. The IDTA ensures that the relevant protections for Data Subjects of the Transferred Data, are sufficiently similar to UK protections. What is a Restricted transfer ? We define data transfers as restricted if: the UK GDPR applies to the personal data you are transferring; you are sending data to or making it accessible by a receiver [to whom the UK GDPR does not apply] OR [located in a country outside the UK]; and the receiver is a separate company or individual (including another company in the same corporate group).
4 1 Under the UK GDPR, you cannot make a restricted transfer unless: it is to a country covered by UK adequacy regulations; an exception covers the transfer ; or you make it with appropriate safeguards. An IDTA is one of the UK GDPR s appropriate safeguards. 1 This section will need to be updated following the Consultation: Section 1: Proposal and plans for the ICO to update its guidance on International transfers. Draft International data transfer agreement | Chapter 1: Introduction to IDTA 5 What is a transfer Risk Assessment? You must also complete a transfer risk assessment (TRA) to make sure that the IDTA works as you intend in the country where the receiver of the Personal Data is located. The TRA checks that local laws and practices do not override the protections that the IDTA contains. This ensures that the relevant protections for Data Subjects of the Transferred Data are sufficiently similar to the UK s protections.
5 ICO s guidance on TRAs may evolve over time relating to changes in legislation, caselaw and practical review of the operation of the guidance. How does the IDTA work? You, the person sending the data, are the Exporter. The person who receives the data is the Importer. The Exporter and the Importer both enter into the IDTA. The IDTA contains: tables which you should use to set out specific information about the Exporter, the Importer and the restricted transfer ; the option to include extra protection clauses. When you complete your TRA, you may decide that the IDTA needs extra steps in order to provide the right level of protection. These can be set out in this section, but must be included in the IDTA or the Linked agreement if the IDTA is to work as an appropriate safeguard; the option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA; and a set of Mandatory Clauses which must always be included.
6 This includes the Legal Glossary. How does the IDTA link to the other agreements I have with the Importer? When you make a restricted transfer , you will often, but not always, also have a service, data sharing or processing agreement between you and the Importer. In particular, if the Importer is your Processor or Sub-Processor, the UK GDPR requires you to have an agreement in place. The agreement must contain specific terms, as Article 28 UK GDPR requires. We call these Linked Agreements in the IDTA, as they link to the restricted transfer you are making. They are useful as they often contain a lot of the information you need to complete the tables. In those cases, you can refer to the relevant section of the Linked agreement . Draft International data transfer agreement | Chapter 1: Introduction to IDTA 6 It is very important that, if any of the terms contradict each other, the IDTA terms override the Linked Agreements.
7 This is to make sure that the Transferred Data has the right level of protection set out in the IDTA. Draft International data transfer agreement | Chapter 2: Completing the IDTA 7 Chapter 2: Completing the IDTA This chapter contains guidance on how to use the IDTA. We explain some of the technical data protection terms we use in a Legal Glossary at the end of the third chapter. Which data transfers can be used with the IDTA? The IDTA is designed to be used for the following information flows: 2 Transfers from: Transfers to Sender/Exporter: In each case, its Processing of the Transferred Data is governed by UK GDPR, and may be located in the UK or outside the UK Receiver/Importer: In each case it is a separate legal person or organisation to the sender/exporter Controller or Joint Controller Any party which is not its Processor for example another Controller [to which the UK GDPR does not apply] OR [located in a country outside the UK] Controller or Joint Controller Its Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK] Processor Its Sub-Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK] Processor (with a UK GDPR Controller) Any party which is not its Controller or Sub-Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK] 2 This table will need to be updated following the Consultation: Section 1.
8 Proposal and plans for the ICO to update its guidance on International transfers Draft International data transfer agreement | Chapter 2: Completing the IDTA 8 Sub-Processor Its Sub-Sub-Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK] Sub-Processor (with a UK GDPR Controller) Any party which is not its Controller or Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK] It is not a restricted transfer (and so the IDTA does not cover this) where you are a Processor, and your Processing is subject to UK GDPR, but your Controller is not subject to UK GDPR. The only exception is if you are sending data to your Sub-Processor [to which the UK GDPR does not apply] OR [located in a country outside the UK]; this is a restricted transfer , and so is covered by the What do I need to do to put the IDTA into place?
9 First you need to complete your transfer risk assessment (TRA). Once this is complete and you are satisfied with the protections (including any Security Requirements and Extra Protection Clauses), you can put the IDTA into place. The IDTA itself is divided into four parts. The table below sets out what you need to do for each part of the IDTA. Chapter 4 sets out FAQs with more detailed guidance on how to complete the IDTA and what it means. Part What you need to do Part one: Tables Table 1: Parties and signature Table 2: transfer Details Table 3: Transferred Data Table 4: Security Requirements Complete with details about the specific information about the Parties and the restricted transfer . We provide template tables, but you do not need to use them. Just make sure you include all the relevant information in your IDTA (including those selections we provide as tick boxes) and your cross-references are correct.
10 Both parties need to sign the contract in Table 1 in order for the IDTA to be in force. 3 This section will need to be updated following the Consultation: Section 1: Proposal and plans for the ICO to update its guidance on International transfers. Draft International data transfer agreement | Chapter 2: Completing the IDTA 9 There are other ways to enter into a contract, but signing is the simplest way to evidence that the parties agree to be bound by the IDTA. You can use other methods if you choose, provided that the IDTA is binding on the parties. Part two: Extra Protection Clauses If your TRA identifies that you need extra steps and protections to protect the Transferred Data, you must add in clauses setting these out here. If you prefer, you include some or all of those clauses in Table 4: Security requirements instead. It can be helpful to insert them here so you can easily identify them when you review the TRA, but this is not a requirement.