Standard Data Protection Clauses to be issued by the

Commissioner under S119A(1) Data Protection Act 2018

International Data Transfer Agreement

VERSION A1.0, in force 21 March 2022

This IDTA has been issued by the Information Commissioner for Parties making
Restricted Transfers. The Information Commissioner considers that it provides
Appropriate Safeguards for Restricted Transfers when it is entered into as a
legally binding contract.

Part 1: Tables

Table 1: Parties and signatures

Start date

Exporter (who sends the Importer (who receives

The Parties
Restricted Transfer) the Restricted Transfer)

Parties’ details Full legal name: Full legal name:

Trading name (if different): Trading name (if different):

Main address (if a company Main address (if a company

registered address): registered address):
Official registration number Official registration number
(if any) (company number (if any) (company number or
or similar identifier): similar identifier):

Key Contact Full Name (optional): Full Name (optional):

Job Title: Job Title:

VERSION A1.0, in force 21 March 2022 1

International Data Transfer Agreement

Contact details including Contact details including

email: email:

Importer Data Job Title:

Subject
Contact details including
Contact
email:

Signatures Signed for and on behalf of Signed for and on behalf of

confirming the Exporter set out above the Importer set out above
each Party
Signed: Signed:
agrees to be
bound by this Date of signature: Date of signature:
IDTA Full name: Full name:
Job title: Job title:

Table 2: Transfer Details

UK country’s England and Wales

law that
Northern Ireland
governs the
IDTA: Scotland

Primary place England and Wales

for legal claims
Northern Ireland
to be made by
the Parties Scotland

The status of In relation to the Processing of the Transferred Data:

the Exporter
Exporter is a Controller
Exporter is a Processor or Sub-Processor

The status of In relation to the Processing of the Transferred Data:

the Importer
Importer is a Controller
Importer is the Exporter’s Processor or Sub-Processor
Importer is not the Exporter’s Processor or Sub-
Processor (and the Importer has been instructed by a
Third Party Controller)

VERSION A1.0, in force 21 March 2022 2

International Data Transfer Agreement

Whether UK UK GDPR applies to the Importer’s Processing of the

GDPR applies Transferred Data
to the
UK GDPR does not apply to the Importer’s Processing of
Importer
the Transferred Data

Linked If the Importer is the Exporter’s Processor or Sub-

Agreement Processor – the agreement(s) between the Parties which
sets out the Processor’s or Sub-Processor’s instructions for
Processing the Transferred Data:
Name of agreement:
Date of agreement:
Parties to the agreement:
Reference (if any):
Other agreements – any agreement(s) between the
Parties which set out additional obligations in relation to the
Transferred Data, such as a data sharing agreement or
service agreement:
Name of agreement:
Date of agreement:
Parties to the agreement:
Reference (if any):
If the Exporter is a Processor or Sub-Processor – the
agreement(s) between the Exporter and the Party(s) which
sets out the Exporter’s instructions for Processing the
Transferred Data:
Name of agreement:
Date of agreement:
Parties to the agreement:
Reference (if any):

Term The Importer may Process the Transferred Data for the
following time period:
the period for which the Linked Agreement is in force
time period:

VERSION A1.0, in force 21 March 2022 3

International Data Transfer Agreement

(only if the Importer is a Controller or not the Exporter’s

Processor or Sub-Processor) no longer than is necessary
for the Purpose.

Ending the the Parties cannot end the IDTA before the end of the
IDTA before Term unless there is a breach of the IDTA or the Parties
the end of the agree in writing.
Term
the Parties can end the IDTA before the end of the Term
by serving:
months’ written notice, as set out in Section 29
(How to end this IDTA without there being a breach).

Ending the Which Parties may end the IDTA as set out in Section 29.2:
IDTA when the
Importer
Approved IDTA
changes Exporter
neither Party

Can the The Importer MAY transfer on the Transferred Data to

Importer make another organisation or person (who is a different legal
further entity) in accordance with Section 16.1 (Transferring on
transfers of the Transferred Data).
the
The Importer MAY NOT transfer on the Transferred Data
Transferred
to another organisation or person (who is a different
Data?
legal entity) in accordance with Section 16.1
(Transferring on the Transferred Data).

Specific The Importer MAY ONLY forward the Transferred Data in

restrictions accordance with Section 16.1:
when the
if the Exporter tells it in writing that it may do so.
Importer may
transfer on the to:
Transferred to the authorised receivers (or the categories of
Data authorised receivers) set out in:
there are no specific restrictions.

Review Dates No review is needed as this is a one-off transfer and the

Importer does not retain any Transferred Data
First review date:

VERSION A1.0, in force 21 March 2022 4

International Data Transfer Agreement

The Parties must review the Security Requirements at least

once:
each month(s)
each quarter
each 6 months
each year
each year(s)
each time there is a change to the Transferred Data,
Purposes, Importer Information, TRA or risk assessment

Table 3: Transferred Data

Transferred The personal data to be sent to the Importer under this

Data IDTA consists of:
The categories of Transferred Data will update
automatically if the information is updated in the Linked
Agreement referred to.
The categories of Transferred Data will NOT update
automatically if the information is updated in the Linked
Agreement referred to. The Parties must agree a change
under Section 5.3.

Special The Transferred Data includes data relating to:

Categories of
racial or ethnic origin
Personal Data
and criminal political opinions
convictions religious or philosophical beliefs
and offences
trade union membership
genetic data
biometric data for the purpose of uniquely identifying a
natural person
physical or mental health
sex life or sexual orientation
criminal convictions and offences
none of the above
set out in:

VERSION A1.0, in force 21 March 2022 5

International Data Transfer Agreement

And:
The categories of special category and criminal records
data will update automatically if the information is
updated in the Linked Agreement referred to.
The categories of special category and criminal records
data will NOT update automatically if the information is
updated in the Linked Agreement referred to. The Parties
must agree a change under Section 5.3.

Relevant Data The Data Subjects of the Transferred Data are:

Subjects
The categories of Data Subjects will update automatically
if the information is updated in the Linked Agreement
referred to.
The categories of Data Subjects will not update
automatically if the information is updated in the Linked
Agreement referred to. The Parties must agree a change
under Section 5.3.

Purpose The Importer may Process the Transferred Data for the
following purposes:
The Importer may Process the Transferred Data for the
purposes set out in:
In both cases, any other purposes which are compatible
with the purposes set out above.
The purposes will update automatically if the information
is updated in the Linked Agreement referred to.
The purposes will NOT update automatically if the
information is updated in the Linked Agreement referred
to. The Parties must agree a change under Section 5.3.

Table 4: Security Requirements

Security of
Transmission

VERSION A1.0, in force 21 March 2022 6

International Data Transfer Agreement

Security of
Storage

Security of
Processing

Organisational
security
measures

Technical
security
minimum
requirements

Updates to the The Security Requirements will update automatically if

Security the information is updated in the Linked Agreement
Requirements referred to.
The Security Requirements will NOT update automatically
if the information is updated in the Linked Agreement
referred to. The Parties must agree a change under
Section 5.3.

Part 2: Extra Protection Clauses

Extra
Protection
Clauses:

(i) Extra
technical
security
protections

(ii) Extra
organisational
protections

VERSION A1.0, in force 21 March 2022 7

International Data Transfer Agreement

(iii) Extra
contractual
protections

Part 3: Commercial Clauses

Commercial
Clauses

Part 4: Mandatory Clauses

Information that helps you to understand this IDTA

1. This IDTA and Linked Agreements

1.1 Each Party agrees to be bound by the terms and conditions set out in the
IDTA, in exchange for the other Party also agreeing to be bound by the
IDTA.

1.2 This IDTA is made up of:

1.2.1 Part one: Tables;

1.2.2 Part two: Extra Protection Clauses;

1.2.3 Part three: Commercial Clauses; and

1.2.4 Part four: Mandatory Clauses.

1.3 The IDTA starts on the Start Date and ends as set out in Sections 29 or
30.

1.4 If the Importer is a Processor or Sub-Processor instructed by the Exporter:

the Exporter must ensure that, on or before the Start Date and during the
Term, there is a Linked Agreement which is enforceable between the Parties
and which complies with Article 28 UK GDPR (and which they will ensure
continues to comply with Article 28 UK GDPR).

1.5 References to the Linked Agreement or to the Commercial Clauses are to

that Linked Agreement or to those Commercial Clauses only in so far as
they are consistent with the Mandatory Clauses.

VERSION A1.0, in force 21 March 2022 8

International Data Transfer Agreement

2. Legal Meaning of Words

2.1 If a word starts with a capital letter it has the specific meaning set out in
the Legal Glossary in Section 36.

2.2 To make it easier to read and understand, this IDTA contains headings and
guidance notes. Those are not part of the binding contract which forms the
IDTA.

3. You have provided all the information required

3.1 The Parties must ensure that the information contained in Part one: Tables
is correct and complete at the Start Date and during the Term.

3.2 In Table 2: Transfer Details, if the selection that the Parties are
Controllers, Processors or Sub-Processors is wrong (either as a matter of
fact or as a result of applying the UK Data Protection Laws) then:

3.2.1 the terms and conditions of the Approved IDTA which apply to the
correct option which was not selected will apply; and

3.2.2 the Parties and any Relevant Data Subjects are entitled to enforce
the terms and conditions of the Approved IDTA which apply to that
correct option.

3.3 In Table 2: Transfer Details, if the selection that the UK GDPR applies is
wrong (either as a matter of fact or as a result of applying the UK Data
Protection Laws), then the terms and conditions of the IDTA will still apply
to the greatest extent possible.

4. How to sign the IDTA

4.1 The Parties may choose to each sign (or execute):

4.1.1 the same copy of this IDTA;

4.1.2 two copies of the IDTA. In that case, each identical copy is still an
original of this IDTA, and together all those copies form one
agreement;

4.1.3 a separate, identical copy of the IDTA. In that case, each identical
copy is still an original of this IDTA, and together all those copies
form one agreement,

unless signing (or executing) in this way would mean that the IDTA would
not be binding on the Parties under Local Laws.

5. Changing this IDTA

5.1 Each Party must not change the Mandatory Clauses as set out in the
Approved IDTA, except only:

VERSION A1.0, in force 21 March 2022 9

International Data Transfer Agreement

5.1.1 to ensure correct cross-referencing: cross-references to Part one:

Tables (or any Table), Part two: Extra Protections, and/or Part
three: Commercial Clauses can be changed where the Parties have
set out the information in a different format, so that the cross-
reference is to the correct location of the same information, or
where clauses have been removed as they do not apply, as set out
below;

5.1.2 to remove those Sections which are expressly stated not to apply
to the selections made by the Parties in Table 2: Transfer Details,
that the Parties are Controllers, Processors or Sub-Processors
and/or that the Importer is subject to, or not subject to, the UK
GDPR. The Exporter and Importer understand and acknowledge
that any removed Sections may still apply and form a part of this
IDTA if they have been removed incorrectly, including because the
wrong selection is made in Table 2: Transfer Details;

5.1.3 so the IDTA operates as a multi-party agreement if there are more

than two Parties to the IDTA. This may include nominating a lead
Party or lead Parties which can make decisions on behalf of some
or all of the other Parties which relate to this IDTA (including
reviewing Table 4: Security Requirements and Part two: Extra
Protection Clauses, and making updates to Part one: Tables (or
any Table), Part two: Extra Protection Clauses, and/or Part three:
Commercial Clauses); and/or

5.1.4 to update the IDTA to set out in writing any changes made to the
Approved IDTA under Section 5.4, if the Parties want to. The
changes will apply automatically without updating them as
described in Section 5.4;

provided that the changes do not reduce the Appropriate Safeguards.

5.2 If the Parties wish to change the format of the information included in Part
one: Tables, Part two: Extra Protection Clauses or Part three: Commercial
Clauses of the Approved IDTA, they may do so by agreeing to the change
in writing, provided that the change does not reduce the Appropriate
Safeguards.

5.3 If the Parties wish to change the information included in Part one: Tables,
Part two: Extra Protection Clauses or Part three: Commercial Clauses of
this IDTA (or the equivalent information), they may do so by agreeing to
the change in writing, provided that the change does not reduce the
Appropriate Safeguards.

5.4 From time to time, the ICO may publish a revised Approved IDTA which:

VERSION A1.0, in force 21 March 2022 10

International Data Transfer Agreement

5.4.1 makes reasonable and proportionate changes to the Approved

IDTA, including correcting errors in the Approved IDTA; and/or

5.4.2 reflects changes to UK Data Protection Laws.

The revised Approved IDTA will specify the start date from which the
changes to the Approved IDTA are effective and whether an additional
Review Date is required as a result of the changes. This IDTA is
automatically amended as set out in the revised Approved IDTA from the
start date specified.

6. Understanding this IDTA

6.1 This IDTA must always be interpreted in a manner that is consistent with
UK Data Protection Laws and so that it fulfils the Parties’ obligation to
provide the Appropriate Safeguards.

6.2 If there is any inconsistency or conflict between UK Data Protection Laws

and this IDTA, the UK Data Protection Laws apply.

6.3 If the meaning of the IDTA is unclear or there is more than one meaning,
the meaning which most closely aligns with the UK Data Protection Laws
applies.

6.4 Nothing in the IDTA (including the Commercial Clauses or the Linked
Agreement) limits or excludes either Party’s liability to Relevant Data
Subjects or to the ICO under this IDTA or under UK Data Protection Laws.

6.5 If any wording in Parts one, two or three contradicts the Mandatory
Clauses, and/or seeks to limit or exclude any liability to Relevant Data
Subjects or to the ICO, then that wording will not apply.

6.6 The Parties may include provisions in the Linked Agreement which provide
the Parties with enhanced rights otherwise covered by this IDTA. These
enhanced rights may be subject to commercial terms, including payment,
under the Linked Agreement, but this will not affect the rights granted
under this IDTA.

6.7 If there is any inconsistency or conflict between this IDTA and a Linked
Agreement or any other agreement, this IDTA overrides that Linked
Agreement or any other agreements, even if those agreements have been
negotiated by the Parties. The exceptions to this are where (and in so far
as):

6.7.1 the inconsistent or conflicting terms of the Linked Agreement or

other agreement provide greater protection for the Relevant Data
Subject’s rights, in which case those terms will override the IDTA;
and

VERSION A1.0, in force 21 March 2022 11

International Data Transfer Agreement

6.7.2 a Party acts as Processor and the inconsistent or conflicting terms

of the Linked Agreement are obligations on that Party expressly
required by Article 28 UK GDPR, in which case those terms will
override the inconsistent or conflicting terms of the IDTA in
relation to Processing by that Party as Processor.

6.8 The words “include”, “includes”, “including”, “in particular” are used to set
out examples and not to set out a finite list.

6.9 References to:

6.9.1 singular or plural words or people, also includes the plural or

singular of those words or people;

6.9.2 legislation (or specific provisions of legislation) means that

legislation (or specific provision) as it may change over time. This
includes where that legislation (or specific provision) has been
consolidated, re-enacted and/or replaced after this IDTA has been
signed; and

6.9.3 any obligation not to do something, includes an obligation not to

allow or cause that thing to be done by anyone else.

7. Which laws apply to this IDTA

7.1 This IDTA is governed by the laws of the UK country set out in Table 2:
Transfer Details. If no selection has been made, it is the laws of England
and Wales. This does not apply to Section 35 which is always governed by
the laws of England and Wales.

How this IDTA provides Appropriate Safeguards

8. The Appropriate Safeguards

8.1 The purpose of this IDTA is to ensure that the Transferred Data has
Appropriate Safeguards when Processed by the Importer during the Term.
This standard is met when and for so long as:

8.1.1 both Parties comply with the IDTA, including the Security
Requirements and any Extra Protection Clauses; and

8.1.2 the Security Requirements and any Extra Protection Clauses

provide a level of security which is appropriate to the risk of a
Personal Data Breach occurring and the impact on Relevant Data
Subjects of such a Personal Data Breach, including considering
any Special Category Data within the Transferred Data.

8.2 The Exporter must:

VERSION A1.0, in force 21 March 2022 12

International Data Transfer Agreement

8.2.1 ensure and demonstrate that this IDTA (including any Security
Requirements and Extra Protection Clauses) provides Appropriate
Safeguards; and

8.2.2 (if the Importer reasonably requests) provide it with a copy of any
TRA.

8.3 The Importer must:

8.3.1 before receiving any Transferred Data, provide the Exporter with
all relevant information regarding Local Laws and practices and
the protections and risks which apply to the Transferred Data
when it is Processed by the Importer, including any information
which may reasonably be required for the Exporter to carry out
any TRA (the “Importer Information”);

8.3.2 co-operate with the Exporter to ensure compliance with the

Exporter’s obligations under the UK Data Protection Laws;

8.3.3 review whether any Importer Information has changed, and

whether any Local Laws contradict its obligations in this IDTA and
take reasonable steps to verify this, on a regular basis. These
reviews must be at least as frequent as the Review Dates; and

8.3.4 inform the Exporter as soon as it becomes aware of any Importer

Information changing, and/or any Local Laws which may prevent
or limit the Importer complying with its obligations in this IDTA.
This information then forms part of the Importer Information.

8.4 The Importer must ensure that at the Start Date and during the Term:

8.4.1 the Importer Information is accurate;

8.4.2 it has taken reasonable steps to verify whether there are any
Local Laws which contradict its obligations in this IDTA or any
additional information regarding Local Laws which may be relevant
to this IDTA.

8.5 Each Party must ensure that the Security Requirements and Extra
Protection Clauses provide a level of security which is appropriate to the
risk of a Personal Data Breach occurring and the impact on Relevant Data
Subjects of such a Personal Data Breach.

9. Reviews to ensure the Appropriate Safeguards continue

9.1 Each Party must:

9.1.1 review this IDTA (including the Security Requirements and Extra
Protection Clauses and the Importer Information) at regular
intervals, to ensure that the IDTA remains accurate and up to date

VERSION A1.0, in force 21 March 2022 13

International Data Transfer Agreement

and continues to provide the Appropriate Safeguards. Each Party

will carry out these reviews as frequently as the relevant Review
Dates or sooner; and

9.1.2 inform the other party in writing as soon as it becomes aware if

any information contained in either this IDTA, any TRA or
Importer Information is no longer accurate and up to date.

9.2 If, at any time, the IDTA no longer provides Appropriate Safeguards the
Parties must Without Undue Delay:

9.2.1 pause transfers and Processing of Transferred Data whilst a

change to the Tables is agreed. The Importer may retain a copy of
the Transferred Data during this pause, in which case the Importer
must carry out any Processing required to maintain, so far as
possible, the measures it was taking to achieve the Appropriate
Safeguards prior to the time the IDTA no longer provided
Appropriate Safeguards, but no other Processing;

9.2.2 agree a change to Part one: Tables or Part two: Extra Protection
Clauses which will maintain the Appropriate Safeguards (in
accordance with Section 5); and

9.2.3 where a change to Part one: Tables or Part two: Extra Protection
Clauses which maintains the Appropriate Safeguards cannot be
agreed, the Exporter must end this IDTA by written notice on the
Importer.

10. The ICO

10.1 Each Party agrees to comply with any reasonable requests made by the
ICO in relation to this IDTA or its Processing of the Transferred Data.

10.2 The Exporter will provide a copy of any TRA, the Importer Information and
this IDTA to the ICO, if the ICO requests.

10.3 The Importer will provide a copy of any Importer Information and this
IDTA to the ICO, if the ICO requests.

The Exporter

11. Exporter’s obligations

11.1 The Exporter agrees that UK Data Protection Laws apply to its Processing
of the Transferred Data, including transferring it to the Importer.

11.2 The Exporter must:

VERSION A1.0, in force 21 March 2022 14

International Data Transfer Agreement

11.2.1 comply with the UK Data Protection Laws in transferring the

Transferred Data to the Importer;

11.2.2 comply with the Linked Agreement as it relates to its transferring

the Transferred Data to the Importer; and

11.2.3 carry out reasonable checks on the Importer’s ability to comply

with this IDTA, and take appropriate action including under
Section 9.2, Section 29 or Section 30, if at any time it no longer
considers that the Importer is able to comply with this IDTA or to
provide Appropriate Safeguards.

11.3 The Exporter must comply with all its obligations in the IDTA, including
any in the Security Requirements, and any Extra Protection Clauses and
any Commercial Clauses.

11.4 The Exporter must co-operate with reasonable requests of the Importer to
pass on notices or other information to and from Relevant Data Subjects
or any Third Party Controller where it is not reasonably practical for the
Importer to do so. The Exporter may pass these on via a third party if it is
reasonable to do so.

11.5 The Exporter must co-operate with and provide reasonable assistance to
the Importer, so that the Importer is able to comply with its obligations to
the Relevant Data Subjects under Local Law and this IDTA.

The Importer

12. General Importer obligations

12.1 The Importer must:

12.1.1 only Process the Transferred Data for the Purpose;

12.1.2 comply with all its obligations in the IDTA, including in the
Security Requirements, any Extra Protection Clauses and any
Commercial Clauses;

12.1.3 comply with all its obligations in the Linked Agreement which
relate to its Processing of the Transferred Data;

12.1.4 keep a written record of its Processing of the Transferred Data,

which demonstrate its compliance with this IDTA, and provide this
written record if asked to do so by the Exporter;

12.1.5 if the Linked Agreement includes rights for the Exporter to obtain
information or carry out an audit, provide the Exporter with the
same rights in relation to this IDTA; and

VERSION A1.0, in force 21 March 2022 15

International Data Transfer Agreement

12.1.6 if the ICO requests, provide the ICO with the information it would
be required on request to provide to the Exporter under this
Section 12.1 (including the written record of its Processing, and
the results of audits and inspections).

12.2 The Importer must co-operate with and provide reasonable assistance to
the Exporter and any Third Party Controller, so that the Exporter and any
Third Party Controller are able to comply with their obligations under UK
Data Protection Laws and this IDTA.

13. Importer’s obligations if it is subject to the UK Data Protection

Laws

13.1 If the Importer’s Processing of the Transferred Data is subject to UK Data

Protection Laws, it agrees that:

13.1.1 UK Data Protection Laws apply to its Processing of the Transferred

Data, and the ICO has jurisdiction over it in that respect; and

13.1.2 it has and will comply with the UK Data Protection Laws in relation
to the Processing of the Transferred Data.

13.2 If Section 13.1 applies and the Importer complies with Section 13.1, it
does not need to comply with:

• Section 14 (Importer’s obligations to comply with key data protection

principles);

• Section 15 (What happens if there is an Importer Personal Data

Breach);

• Section 15 (How Relevant Data Subjects can exercise their data subject
rights); and

• Section 21 (How Relevant Data Subjects can exercise their data subject
rights – if the Importer is the Exporter’s Processor or Sub-Processor).

14. Importer’s obligations to comply with key data protection

principles

14.1 The Importer does not need to comply with this Section 14 if it is the
Exporter’s Processor or Sub-Processor.

14.2 The Importer must:

14.2.1 ensure that the Transferred Data it Processes is adequate,

relevant and limited to what is necessary for the Purpose;

14.2.2 ensure that the Transferred Data it Processes is accurate and

(where necessary) kept up to date, and (where appropriate

VERSION A1.0, in force 21 March 2022 16

International Data Transfer Agreement

considering the Purposes) correct or delete any inaccurate

Transferred Data it becomes aware of Without Undue Delay; and

14.2.3 ensure that it Processes the Transferred Data for no longer than is
reasonably necessary for the Purpose.

15. What happens if there is an Importer Personal Data Breach

15.1 If there is an Importer Personal Data Breach, the Importer must:

15.1.1 take reasonable steps to fix it, including to minimise the harmful
effects on Relevant Data Subjects, stop it from continuing, and
prevent it happening again. If the Importer is the Exporter’s
Processor or Sub-Processor: these steps must comply with the
Exporter’s instructions and the Linked Agreement and be in co-
operation with the Exporter and any Third Party Controller; and

15.1.2 ensure that the Security Requirements continue to provide (or are
changed in accordance with this IDTA so they do provide) a level
of security which is appropriate to the risk of a Personal Data
Breach occurring and the impact on Relevant Data Subjects of
such a Personal Data Breach.

15.2 If the Importer is a Processor or Sub-Processor: if there is an Importer

Personal Data Breach, the Importer must:

15.2.1 notify the Exporter Without Undue Delay after becoming aware of
the breach, providing the following information:

15.2.1.1 a description of the nature of the Importer Personal Data

Breach;

15.2.1.2 (if and when possible) the categories and approximate

number of Data Subjects and Transferred Data records
concerned;

15.2.1.3 likely consequences of the Importer Personal Data

Breach;

15.2.1.4 steps taken (or proposed to be taken) to fix the Importer

Personal Data Breach (including to minimise the harmful
effects on Relevant Data Subjects, stop it from
continuing, and prevent it happening again) and to
ensure that Appropriate Safeguards are in place;

15.2.1.5 contact point for more information; and

15.2.1.6 any other information reasonably requested by the

Exporter,

VERSION A1.0, in force 21 March 2022 17

International Data Transfer Agreement

15.2.2 if it is not possible for the Importer to provide all the above
information at the same time, it may do so in phases, Without
Undue Delay; and

15.2.3 assist the Exporter (and any Third Party Controller) so the
Exporter (or any Third Party Controller) can inform Relevant Data
Subjects or the ICO or any other relevant regulator or authority
about the Importer Personal Data Breach Without Undue Delay.

15.3 If the Importer is a Controller: if the Importer Personal Data Breach is

likely to result in a risk to the rights or freedoms of any Relevant Data
Subject the Importer must notify the Exporter Without Undue Delay after
becoming aware of the breach, providing the following information:

15.3.1 a description of the nature of the Importer Personal Data Breach;

15.3.2 (if and when possible) the categories and approximate number of
Data Subjects and Transferred Data records concerned;

15.3.3 likely consequences of the Importer Personal Data Breach;

15.3.4 steps taken (or proposed to be taken) to fix the Importer Personal
Data Breach (including to minimise the harmful effects on
Relevant Data Subjects, stop it from continuing, and prevent it
happening again) and to ensure that Appropriate Safeguards are
in place;

15.3.5 contact point for more information; and

15.3.6 any other information reasonably requested by the Exporter.

If it is not possible for the Importer to provide all the above information at
the same time, it may do so in phases, Without Undue Delay.

15.4 If the Importer is a Controller: if the Importer Personal Data Breach is

likely to result in a high risk to the rights or freedoms of any Relevant
Data Subject, the Importer must inform those Relevant Data Subjects
Without Undue Delay, except in so far as it requires disproportionate
effort, and provided the Importer ensures that there is a public
communication or similar measures whereby Relevant Data Subjects are
informed in an equally effective manner.

15.5 The Importer must keep a written record of all relevant facts relating to
the Importer Personal Data Breach, which it will provide to the Exporter
and the ICO on request.

This record must include the steps it takes to fix the Importer Personal
Data Breach (including to minimise the harmful effects on Relevant Data
Subjects, stop it from continuing, and prevent it happening again) and to

VERSION A1.0, in force 21 March 2022 18

International Data Transfer Agreement

ensure that Security Requirements continue to provide a level of security

which is appropriate to the risk of a Personal Data Breach occurring and
the impact on Relevant Data Subjects of such a Personal Data Breach.

16. Transferring on the Transferred Data

16.1 The Importer may only transfer on the Transferred Data to a third party if
it is permitted to do so in Table 2: Transfer Details Table, the transfer is
for the Purpose, the transfer does not breach the Linked Agreement, and
one or more of the following apply:

16.1.1 the third party has entered into a written contract with the
Importer containing the same level of protection for Data Subjects
as contained in this IDTA (based on the role of the recipient as
controller or processor), and the Importer has conducted a risk
assessment to ensure that the Appropriate Safeguards will be
protected by that contract; or

16.1.2 the third party has been added to this IDTA as a Party; or

16.1.3 if the Importer was in the UK, transferring on the Transferred Data
would comply with Article 46 UK GDPR; or

16.1.4 if the Importer was in the UK transferring on the Transferred Data

would comply with one of the exceptions in Article 49 UK GDPR; or

16.1.5 the transfer is to the UK or an Adequate Country.

16.2 The Importer does not need to comply with Section 16.1 if it is
transferring on Transferred Data and/or allowing access to the Transferred
Data in accordance with Section 23 (Access Requests and Direct Access).

17. Importer’s responsibility if it authorises others to perform its

obligations

17.1 The Importer may sub-contract its obligations in this IDTA to a Processor
or Sub-Processor (provided it complies with Section 16).

17.2 If the Importer is the Exporter’s Processor or Sub-Processor: it must also

comply with the Linked Agreement or be with the written consent of the
Exporter.

17.3 The Importer must ensure that any person or third party acting under its
authority, including a Processor or Sub-Processor, must only Process the
Transferred Data on its instructions.

17.4 The Importer remains fully liable to the Exporter, the ICO and Relevant
Data Subjects for its obligations under this IDTA where it has sub-
contracted any obligations to its Processors and Sub-Processors, or
authorised an employee or other person to perform them (and references

VERSION A1.0, in force 21 March 2022 19

International Data Transfer Agreement

to the Importer in this context will include references to its Processors,

Sub-Processors or authorised persons).

What rights do individuals have?

18. The right to a copy of the IDTA

18.1 If a Party receives a request from a Relevant Data Subject for a copy of
this IDTA:

18.1.1 it will provide the IDTA to the Relevant Data Subject and inform
the other Party, as soon as reasonably possible;

18.1.2 it does not need to provide copies of the Linked Agreement, but it
must provide all the information from those Linked Agreements
referenced in the Tables;

18.1.3 it may redact information in the Tables or the information

provided from the Linked Agreement if it is reasonably necessary
to protect business secrets or confidential information, so long as
it provides the Relevant Data Subject with a summary of those
redactions so that the Relevant Data Subject can understand the
content of the Tables or the information provided from the Linked
Agreement.

19. The right to Information about the Importer and its Processing

19.1 The Importer does not need to comply with this Section 19 if it is the
Exporter’s Processor or Sub-Processor.

19.2 The Importer must ensure that each Relevant Data Subject is provided
with details of:

• the Importer (including contact details and the Importer Data Subject
Contact);

• the Purposes; and

• any recipients (or categories of recipients) of the Transferred Data;

The Importer can demonstrate it has complied with this Section 19.2 if the
information is given (or has already been given) to the Relevant Data
Subjects by the Exporter or another party.

The Importer does not need to comply with this Section 19.2 in so far as
to do so would be impossible or involve a disproportionate effort, in which
case, the Importer must make the information publicly available.

VERSION A1.0, in force 21 March 2022 20

International Data Transfer Agreement

19.3 The Importer must keep the details of the Importer Data Subject Contact
up to date and publicly available. This includes notifying the Exporter in
writing of any such changes.

19.4 The Importer must make sure those contact details are always easy to
access for all Relevant Data Subjects and be able to easily communicate
with Data Subjects in the English language Without Undue Delay.

20. How Relevant Data Subjects can exercise their data subject rights

20.1 The Importer does not need to comply with this Section 20 if it is the
Exporter’s Processor or Sub-Processor.

20.2 If an individual requests, the Importer must confirm whether it is

Processing their Personal Data as part of the Transferred Data.

20.3 The following Sections of this Section 20, relate to a Relevant Data
Subject’s Personal Data which forms part of the Transferred Data the
Importer is Processing.

20.4 If the Relevant Data Subject requests, the Importer must provide them
with a copy of their Transferred Data:

20.4.1 Without Undue Delay (and in any event within one month);

20.4.2 at no greater cost to the Relevant Data Subject than it would be

able to charge if it were subject to the UK Data Protection Laws;

20.4.3 in clear and plain English that is easy to understand; and

20.4.4 in an easily accessible form

together with

20.4.5 (if needed) a clear and plain English explanation of the Transferred
Data so that it is understandable to the Relevant Data Subject;
and

20.4.6 information that the Relevant Data Subject has the right to bring a
claim for compensation under this IDTA.

20.5 If a Relevant Data Subject requests, the Importer must:

20.5.1 rectify inaccurate or incomplete Transferred Data;

20.5.2 erase Transferred Data if it is being Processed in breach of this

IDTA;

20.5.3 cease using it for direct marketing purposes; and

VERSION A1.0, in force 21 March 2022 21

International Data Transfer Agreement

20.5.4 comply with any other reasonable request of the Relevant Data
Subject, which the Importer would be required to comply with if it
were subject to the UK Data Protection Laws.

20.6 The Importer must not use the Transferred Data to make decisions about
the Relevant Data Subject based solely on automated processing,
including profiling (the “Decision-Making”), which produce legal effects
concerning the Relevant Data Subject or similarly significantly affects
them, except if it is permitted by Local Law and:

20.6.1 the Relevant Data Subject has given their explicit consent to such
Decision-Making; or

20.6.2 Local Law has safeguards which provide sufficiently similar

protection for the Relevant Data Subjects in relation to such
Decision-Making, as to the relevant protection the Relevant Data
Subject would have if such Decision-Making was in the UK; or

20.6.3 the Extra Protection Clauses provide safeguards for the Decision-
Making which provide sufficiently similar protection for the
Relevant Data Subjects in relation to such Decision-Making, as to
the relevant protection the Relevant Data Subject would have if
such Decision-Making was in the UK.

21. How Relevant Data Subjects can exercise their data subject rights–
if the Importer is the Exporter’s Processor or Sub-Processor

21.1 Where the Importer is the Exporter’s Processor or Sub-Processor: If the

Importer receives a request directly from an individual which relates to the
Transferred Data it must pass that request on to the Exporter Without
Undue Delay. The Importer must only respond to that individual as
authorised by the Exporter or any Third Party Controller.

22. Rights of Relevant Data Subjects are subject to the exemptions in

the UK Data Protection Laws

22.1 The Importer is not required to respond to requests or provide information

or notifications under Sections 18, 19, 20, 21 and 23 if:

22.1.1 it is unable to reasonably verify the identity of an individual

making the request; or

22.1.2 the requests are manifestly unfounded or excessive, including

where requests are repetitive. In that case the Importer may
refuse the request or may charge the Relevant Data Subject a
reasonable fee; or

22.1.3 a relevant exemption would be available under UK Data Protection

Laws, were the Importer subject to the UK Data Protection Laws.

VERSION A1.0, in force 21 March 2022 22

International Data Transfer Agreement

If the Importer refuses an individual’s request or charges a fee under

Section 22.1.2 it will set out in writing the reasons for its refusal or
charge, and inform the Relevant Data Subject that they are entitled to
bring a claim for compensation under this IDTA in the case of any breach
of this IDTA.

How to give third parties access to Transferred Data under Local Laws

23. Access requests and direct access

23.1 In this Section 23 an “Access Request” is a legally binding request (except

for requests only binding by contract law) to access any Transferred Data
and “Direct Access” means direct access to any Transferred Data by public
authorities of which the Importer is aware.

23.2 The Importer may disclose any requested Transferred Data in so far as it
receives an Access Request, unless in the circumstances it is reasonable
for it to challenge that Access Request on the basis there are significant
grounds to believe that it is unlawful.

23.3 In so far as Local Laws allow and it is reasonable to do so, the Importer
will Without Undue Delay provide the following with relevant information
about any Access Request or Direct Access: the Exporter; any Third Party
Controller; and where the Importer is a Controller, any Relevant Data
Subjects.

23.4 In so far as Local Laws allow, the Importer must:

23.4.1 make and keep a written record of Access Requests and Direct
Access, including (if known): the dates, the identity of the
requestor/accessor, the purpose of the Access Request or Direct
Access, the type of data requested or accessed, whether it was
challenged or appealed, and the outcome; and the Transferred
Data which was provided or accessed; and

23.4.2 provide a copy of this written record to the Exporter on each

Review Date and any time the Exporter or the ICO reasonably
requests.

24. Giving notice

24.1 If a Party is required to notify any other Party in this IDTA it will be
marked for the attention of the relevant Key Contact and sent by e-mail to
the e-mail address given for the Key Contact.

24.2 If the notice is sent in accordance with Section 24.1, it will be deemed to
have been delivered at the time the e-mail was sent, or if that time is
outside of the receiving Party’s normal business hours, the receiving

VERSION A1.0, in force 21 March 2022 23

International Data Transfer Agreement

Party’s next normal business day, and provided no notice of non-delivery

or bounceback is received.

24.3 The Parties agree that any Party can update their Key Contact details by
giving 14 days’ (or more) notice in writing to the other Party.

25. General clauses

25.1 In relation to the transfer of the Transferred Data to the Importer and the
Importer’s Processing of the Transferred Data, this IDTA and any Linked
Agreement:

25.1.1 contain all the terms and conditions agreed by the Parties; and

25.1.2 override all previous contacts and arrangements, whether oral or

in writing.

25.2 If one Party made any oral or written statements to the other before
entering into this IDTA (which are not written in this IDTA) the other Party
confirms that it has not relied on those statements and that it will not
have a legal remedy if those statements are untrue or incorrect, unless
the statement was made fraudulently.

25.3 Neither Party may novate, assign or obtain a legal charge over this IDTA
(in whole or in part) without the written consent of the other Party, which
may be set out in the Linked Agreement.

25.4 Except as set out in Section 17.1, neither Party may sub contract its
obligations under this IDTA without the written consent of the other Party,
which may be set out in the Linked Agreement.

25.5 This IDTA does not make the Parties a partnership, nor appoint one Party
to act as the agent of the other Party.

25.6 If any Section (or part of a Section) of this IDTA is or becomes illegal,
invalid or unenforceable, that will not affect the legality, validity and
enforceability of any other Section (or the rest of that Section) of this
IDTA.

25.7 If a Party does not enforce, or delays enforcing, its rights or remedies
under or in relation to this IDTA, this will not be a waiver of those rights or
remedies. In addition, it will not restrict that Party’s ability to enforce
those or any other right or remedy in future.

25.8 If a Party chooses to waive enforcing a right or remedy under or in relation

to this IDTA, then this waiver will only be effective if it is made in writing.
Where a Party provides such a written waiver:

25.8.1 it only applies in so far as it explicitly waives specific rights or

remedies;

VERSION A1.0, in force 21 March 2022 24

International Data Transfer Agreement

25.8.2 it shall not prevent that Party from exercising those rights or
remedies in the future (unless it has explicitly waived its ability to
do so); and

25.8.3 it will not prevent that Party from enforcing any other right or
remedy in future.

What happens if there is a breach of this IDTA?

26. Breaches of this IDTA

26.1 Each Party must notify the other Party in writing (and with all relevant
details) if it:

26.1.1 has breached this IDTA; or

26.1.2 it should reasonably anticipate that it may breach this IDTA, and
provide any information about this which the other Party
reasonably requests.

26.2 In this IDTA “Significant Harmful Impact” means that there is more than a
minimal risk of a breach of the IDTA causing (directly or indirectly)
significant damage to any Relevant Data Subject or the other Party.

27. Breaches of this IDTA by the Importer

27.1 If the Importer has breached this IDTA, and this has a Significant Harmful
Impact, the Importer must take steps Without Undue Delay to end the
Significant Harmful Impact, and if that is not possible to reduce the
Significant Harmful Impact as much as possible.

27.2 Until there is no ongoing Significant Harmful Impact on Relevant Data

Subjects:

27.2.1 the Exporter must suspend sending Transferred Data to the

Importer;

27.2.2 If the Importer is the Exporter’s Processor or Sub-Processor: if the

Exporter requests, the importer must securely delete all
Transferred Data or securely return it to the Exporter (or a third
party named by the Exporter); and

27.2.3 if the Importer has transferred on the Transferred Data to a third

party receiver under Section 16, and the breach has a Significant
Harmful Impact on Relevant Data Subject when it is Processed by
or on behalf of that third party receiver, the Importer must:

27.2.3.1 notify the third party receiver of the breach and suspend
sending it Transferred Data; and

VERSION A1.0, in force 21 March 2022 25

International Data Transfer Agreement

27.2.3.2 if the third party receiver is the Importer’s Processor or

Sub-Processor: make the third party receiver securely
delete all Transferred Data being Processed by it or on
its behalf, or securely return it to the Importer (or a
third party named by the Importer).

27.3 If the breach cannot be corrected Without Undue Delay, so there is no

ongoing Significant Harmful Impact on Relevant Data Subjects, the
Exporter must end this IDTA under Section 30.1.

28. Breaches of this IDTA by the Exporter

28.1 If the Exporter has breached this IDTA, and this has a Significant Harmful
Impact, the Exporter must take steps Without Undue Delay to end the
Significant Harmful Impact and if that is not possible to reduce the
Significant Harmful Impact as much as possible.

28.2 Until there is no ongoing risk of a Significant Harmful Impact on Relevant

Data Subjects, the Exporter must suspend sending Transferred Data to the
Importer.

28.3 If the breach cannot be corrected Without Undue Delay, so there is no

ongoing Significant Harmful Impact on Relevant Data Subjects, the
Importer must end this IDTA under Section 30.1.

Ending the IDTA

29. How to end this IDTA without there being a breach

29.1 The IDTA will end:

29.1.1 at the end of the Term stated in Table 2: Transfer Details; or

29.1.2 if in Table 2: Transfer Details, the Parties can end this IDTA by
providing written notice to the other: at the end of the notice
period stated;

29.1.3 at any time that the Parties agree in writing that it will end; or

29.1.4 at the time set out in Section 29.2.

29.2 If the ICO issues a revised Approved IDTA under Section 5.4, if any Party
selected in Table 2 “Ending the IDTA when the Approved IDTA changes”,
will as a direct result of the changes in the Approved IDTA have a
substantial, disproportionate and demonstrable increase in:

29.2.1 its direct costs of performing its obligations under the IDTA;
and/or

29.2.2 its risk under the IDTA,

VERSION A1.0, in force 21 March 2022 26

International Data Transfer Agreement

and in either case it has first taken reasonable steps to reduce that cost or
risk so that it is not substantial and disproportionate, that Party may end
the IDTA at the end of a reasonable notice period, by providing written
notice for that period to the other Party before the start date of the
revised Approved IDTA.

30. How to end this IDTA if there is a breach

30.1 A Party may end this IDTA immediately by giving the other Party written
notice if:

30.1.1 the other Party has breached this IDTA and this has a Significant
Harmful Impact. This includes repeated minor breaches which
taken together have a Significant Harmful Impact, and

30.1.1.1 the breach can be corrected so there is no Significant

Harmful Impact, and the other Party has failed to do so
Without Undue Delay (which cannot be more than 14
days of being required to do so in writing); or

30.1.1.2 the breach and its Significant Harmful Impact cannot be

corrected;

30.1.2 the Importer can no longer comply with Section 8.3, as there are
Local Laws which mean it cannot comply with this IDTA and this
has a Significant Harmful Impact.

31. What must the Parties do when the IDTA ends?

31.1 If the parties wish to bring this IDTA to an end or this IDTA ends in
accordance with any provision in this IDTA, but the Importer must comply
with a Local Law which requires it to continue to keep any Transferred
Data then this IDTA will remain in force in respect of any retained
Transferred Data for as long as the retained Transferred Data is retained,
and the Importer must:

31.1.1 notify the Exporter Without Undue Delay, including details of the
relevant Local Law and the required retention period;

31.1.2 retain only the minimum amount of Transferred Data it needs to

comply with that Local Law, and the Parties must ensure they
maintain the Appropriate Safeguards, and change the Tables and
Extra Protection Clauses, together with any TRA to reflect this;
and

31.1.3 stop Processing the Transferred Data as soon as permitted by that

Local Law and the IDTA will then end and the rest of this Section
29 will apply.

VERSION A1.0, in force 21 March 2022 27

International Data Transfer Agreement

31.2 When this IDTA ends (no matter what the reason is):

31.2.1 the Exporter must stop sending Transferred Data to the Importer;
and

31.2.2 if the Importer is the Exporter’s Processor or Sub-Processor: the

Importer must delete all Transferred Data or securely return it to
the Exporter (or a third party named by the Exporter), as
instructed by the Exporter;

31.2.3 if the Importer is a Controller and/or not the Exporter’s Processor

or Sub-Processor: the Importer must securely delete all
Transferred Data.

31.2.4 the following provisions will continue in force after this IDTA ends
(no matter what the reason is):

• Section 1 (This IDTA and Linked Agreements);

• Section 2 (Legal Meaning of Words);

• Section 6 (Understanding this IDTA);

• Section 7 (Which laws apply to this IDTA);

• Section 10 (The ICO);

• Sections 11.1 and 11.4 (Exporter’s obligations);

• Sections 12.1.2, 12.1.3, 12.1.4, 12.1.5 and 12.1.6 (General

Importer obligations);

• Section 13.1 (Importer’s obligations if it is subject to UK Data

Protection Laws);

• Section 17 (Importer’s responsibility if it authorised others to

perform its obligations);

• Section 24 (Giving notice);

• Section 25 (General clauses);

• Section 31 (What must the Parties do when the IDTA ends);

• Section 32 (Your liability);

• Section 33 (How Relevant Data Subjects and the ICO may

bring legal claims);

• Section 34 (Courts legal claims can be brought in);

• Section 35 (Arbitration); and

VERSION A1.0, in force 21 March 2022 28

International Data Transfer Agreement

• Section 36 (Legal Glossary).

How to bring a legal claim under this IDTA

32. Your liability

32.1 The Parties remain fully liable to Relevant Data Subjects for fulfilling their
obligations under this IDTA and (if they apply) under UK Data Protection
Laws.

32.2 Each Party (in this Section, “Party One”) agrees to be fully liable to
Relevant Data Subjects for the entire damage suffered by the Relevant
Data Subject, caused directly or indirectly by:

32.2.1 Party One’s breach of this IDTA; and/or

32.2.2 where Party One is a Processor, Party One’s breach of any

provisions regarding its Processing of the Transferred Data in the
Linked Agreement;

32.2.3 where Party One is a Controller, a breach of this IDTA by the other
Party if it involves Party One’s Processing of the Transferred Data
(no matter how minimal)

in each case unless Party One can prove it is not in any way responsible
for the event giving rise to the damage.

32.3 If one Party has paid compensation to a Relevant Data Subject under
Section 32.2, it is entitled to claim back from the other Party that part of
the compensation corresponding to the other Party’s responsibility for the
damage, so that the compensation is fairly divided between the Parties.

32.4 The Parties do not exclude or restrict their liability under this IDTA or UK
Data Protection Laws, on the basis that they have authorised anyone who
is not a Party (including a Processor) to perform any of their obligations,
and they will remain responsible for performing those obligations.

33. How Relevant Data Subjects and the ICO may bring legal claims

33.1 The Relevant Data Subjects are entitled to bring claims against the
Exporter and/or Importer for breach of the following (including where their
Processing of the Transferred Data is involved in a breach of the following
by either Party):

• Section 1 (This IDTA and Linked Agreements);

• Section 3 (You have provided all the information required by Part one:
Tables and Part two: Extra Protection Clauses);

• Section 8 (The Appropriate Safeguards);

VERSION A1.0, in force 21 March 2022 29

International Data Transfer Agreement

• Section 9 (Reviews to ensure the Appropriate Safeguards continue);

• Section 11 (Exporter’s obligations);

• Section 12 (General Importer Obligations);

• Section 13 (Importer’s obligations if it is subject to UK Data Protection

Laws);

• Section 14 (Importer’s obligations to comply with key data protection

laws);

• Section 15 (What happens if there is an Importer Personal Data

Breach);

• Section 16 (Transferring on the Transferred Data);

• Section 17 (Importer’s responsibility if it authorises others to perform

its obligations);

• Section 18 (The right to a copy of the IDTA);

• Section 19 (The Importer’s contact details for the Relevant Data

Subjects);

• Section 20 (How Relevant Data Subjects can exercise their data

subject rights);

• Section 21 (How Relevant Data Subjects can exercise their data

subject rights– if the Importer is the Exporter’s Processor or Sub-
Processor);

• Section 23 (Access Requests and Direct Access);

• Section 26 (Breaches of this IDTA);

• Section 27 (Breaches of this IDTA by the Importer);

• Section 28 (Breaches of this IDTA by the Exporter);

• Section 30 (How to end this IDTA if there is a breach);

• Section 31 (What must the Parties do when the IDTA ends); and

• any other provision of the IDTA which expressly or by implication

benefits the Relevant Data Subjects.

33.2 The ICO is entitled to bring claims against the Exporter and/or Importer
for breach of the following Sections: Section 10 (The ICO), Sections 11.1
and 11.2 (Exporter’s obligations), Section 12.1.6 (General Importer
obligations) and Section 13 (Importer’s obligations if it is subject to UK
Data Protection Laws).

VERSION A1.0, in force 21 March 2022 30

International Data Transfer Agreement

33.3 No one else (who is not a Party) can enforce any part of this IDTA
(including under the Contracts (Rights of Third Parties) Act 1999).

33.4 The Parties do not need the consent of any Relevant Data Subject or the
ICO to make changes to this IDTA, but any changes must be made in
accordance with its terms.

33.5 In bringing a claim under this IDTA, a Relevant Data Subject may be
represented by a not-for-profit body, organisation or association under the
same conditions set out in Article 80(1) UK GDPR and sections 187 to 190
of the Data Protection Act 2018.

34. Courts legal claims can be brought in

34.1 The courts of the UK country set out in Table 2: Transfer Details have non-
exclusive jurisdiction over any claim in connection with this IDTA
(including non-contractual claims).

34.2 The Exporter may bring a claim against the Importer in connection with
this IDTA (including non-contractual claims) in any court in any country
with jurisdiction to hear the claim.

34.3 The Importer may only bring a claim against the Exporter in connection
with this IDTA (including non-contractual claims) in the courts of the UK
country set out in the Table 2: Transfer Details

34.4 Relevant Data Subjects and the ICO may bring a claim against the
Exporter and/or the Importer in connection with this IDTA (including non-
contractual claims) in any court in any country with jurisdiction to hear the
claim.

34.5 Each Party agrees to provide to the other Party reasonable updates about
any claims or complaints brought against it by a Relevant Data Subject or
the ICO in connection with the Transferred Data (including claims in
arbitration).

35. Arbitration

35.1 Instead of bringing a claim in a court under Section 34, any Party, or a
Relevant Data Subject may elect to refer any dispute arising out of or in
connection with this IDTA (including non-contractual claims) to final
resolution by arbitration under the Rules of the London Court of
International Arbitration, and those Rules are deemed to be incorporated
by reference into this Section 35.

35.2 The Parties agree to submit to any arbitration started by another Party or
by a Relevant Data Subject in accordance with this Section 35.

VERSION A1.0, in force 21 March 2022 31

International Data Transfer Agreement

35.3 There must be only one arbitrator. The arbitrator (1) must be a lawyer
qualified to practice law in one or more of England and Wales, or Scotland,
or Northern Ireland and (2) must have experience of acting or advising on
disputes relating to UK Data Protection Laws.

35.4 London shall be the seat or legal place of arbitration. It does not matter if
the Parties selected a different UK country as the ‘primary place for legal
claims to be made’ in Table 2: Transfer Details.

35.5 The English language must be used in the arbitral proceedings.

35.6 English law governs this Section 35. This applies regardless of whether or
not the parties selected a different UK country’s law as the ‘UK country’s
law that governs the IDTA’ in Table 2: Transfer Details.

36. Legal Glossary

Word or Legal definition

Phrase (this is how this word or phrase must be interpreted
in the IDTA)

Access Request As defined in Section 23, as a legally binding request

(except for requests only binding by contract law) to access
any Transferred Data.

Adequate A third country, or:

Country
• a territory;
• one or more sectors or organisations within a third
country;
• an international organisation;
which the Secretary of State has specified by regulations
provides an adequate level of protection of Personal Data in
accordance with Section 17A of the Data Protection Act
2018.

Appropriate The standard of protection over the Transferred Data and of

Safeguards the Relevant Data Subject’s rights, which is required by UK
Data Protection Laws when you are making a Restricted
Transfer relying on standard data protection clauses under
Article 46(2)(d) UK GDPR.

Approved IDTA The template IDTA A1.0 issued by the ICO and laid before
Parliament in accordance with s119A of the Data Protection

VERSION A1.0, in force 21 March 2022 32

International Data Transfer Agreement

Word or Legal definition

Phrase (this is how this word or phrase must be interpreted
in the IDTA)

Act 2018 on 2 February 2022, as it is revised under Section

5.4.

Commercial The commercial clauses set out in Part three.

Clauses

Controller As defined in the UK GDPR.

Damage All material and non-material loss and damage.

Data Subject As defined in the UK GDPR.

Decision-Making As defined in Section 20.6, as decisions about the Relevant

Data Subjects based solely on automated processing,
including profiling, using the Transferred Data.

Direct Access As defined in Section 23 as direct access to any Transferred

Data by public authorities of which the Importer is aware.

Exporter The exporter identified in Table 1: Parties & Signature.

Extra Protection The clauses set out in Part two: Extra Protection Clauses.
Clauses

ICO The Information Commissioner.

Importer The importer identified in Table 1: Parties & Signature.

Importer Data The Importer Data Subject Contact identified in Table 1:

Subject Contact Parties & Signature, which may be updated in accordance
with Section 19.

VERSION A1.0, in force 21 March 2022 33

International Data Transfer Agreement

Word or Legal definition

Phrase (this is how this word or phrase must be interpreted
in the IDTA)

Importer As defined in Section 8.3.1, as all relevant information

Information regarding Local Laws and practices and the protections and
risks which apply to the Transferred Data when it is
Processed by the Importer, including for the Exporter to
carry out any TRA.

Importer A ‘personal data breach’ as defined in UK GDPR, in relation

Personal Data to the Transferred Data when Processed by the Importer.
Breach

Linked The linked agreements set out in Table 2: Transfer Details

Agreement (if any).

Local Laws Laws which are not the laws of the UK and which bind the
Importer.

Mandatory Part four: Mandatory Clauses of this IDTA.

Clauses

Notice Period As set out in Table 2: Transfer Details.

Party/Parties The parties to this IDTA as set out in Table 1: Parties &
Signature.

Personal Data As defined in the UK GDPR.

Personal Data As defined in the UK GDPR.

Breach

Processing As defined in the UK GDPR.

When the IDTA refers to Processing by the Importer, this
includes where a third party Sub-Processor of the Importer
is Processing on the Importer’s behalf.

VERSION A1.0, in force 21 March 2022 34

International Data Transfer Agreement

Word or Legal definition

Phrase (this is how this word or phrase must be interpreted
in the IDTA)

Processor As defined in the UK GDPR.

Purpose The ‘Purpose’ set out in Table 2: Transfer Details, including

any purposes which are not incompatible with the purposes
stated or referred to.

Relevant Data A Data Subject of the Transferred Data.

Subject

Restricted A transfer which is covered by Chapter V of the UK GDPR

Transfer

Review Dates The review dates or period for the Security Requirements
set out in Table 2: Transfer Details, and any review dates
set out in any revised Approved IDTA.

Significant As defined in Section 26.2 as where there is more than a

Harmful Impact minimal risk of the breach causing (directly or indirectly)
significant harm to any Relevant Data Subject or the other
Party.

Special Category As described in the UK GDPR, together with criminal

Data conviction or criminal offence data.

Start Date As set out in Table 1: Parties and signature.

Sub-Processor A Processor appointed by another Processor to Process

Personal Data on its behalf.
This includes Sub-Processors of any level, for example a
Sub-Sub-Processor.

Tables The Tables set out in Part one of this IDTA.

VERSION A1.0, in force 21 March 2022 35

International Data Transfer Agreement

Word or Legal definition

Phrase (this is how this word or phrase must be interpreted
in the IDTA)

Term As set out in Table 2: Transfer Details.

Third Party The Controller of the Transferred Data where the Exporter
Controller is a Processor or Sub-Processor
If there is not a Third Party Controller this can be
disregarded.

Transfer Risk A risk assessment in so far as it is required by UK Data

Assessment or Protection Laws to demonstrate that the IDTA provides the
TRA Appropriate Safeguards

Transferred Data Any Personal Data which the Parties transfer, or intend to
transfer under this IDTA, as described in Table 2: Transfer
Details

UK Data All laws relating to data protection, the processing of

Protection Laws personal data, privacy and/or electronic communications in
force from time to time in the UK, including the UK GDPR
and the Data Protection Act 2018.

UK GDPR As defined in Section 3 of the Data Protection Act 2018.

Without Undue Without undue delay, as that phase is interpreted in the UK

Delay GDPR.

Alternative Part 4 Mandatory Clauses:

Mandatory Part 4: Mandatory Clauses of the Approved IDTA, being the

Clauses template IDTA A.1.0 issued by the ICO and laid before
Parliament in accordance with s119A of the Data Protection
Act 2018 on 2 February 2022, as it is revised under Section
5.4 of those Mandatory Clauses.

VERSION A1.0, in force 21 March 2022 36