The International Data Transfer Agreement (IDTA) is the UK’s standard contract for legalising restricted transfers of UK-origin personal data to countries that do not have a UK adequacy decision. It is the document the Information Commissioner’s Office issued as the UK’s post-Brexit replacement for the EU Standard Contractual Clauses (SCCs). This guide focuses on the instrument itself: what it contains, how it differs from the EU SCCs, and how the UK Addendum lets organisations reuse the EU clauses for UK transfers. For its application to a specific destination, see the IDTA for Kenya guide.
Key Facts
| Item | Detail |
|---|---|
| Full name | UK International Data Transfer Agreement |
| Issued by | UK Information Commissioner’s Office (ICO) |
| Legal basis | UK GDPR Article 46 (appropriate safeguards) |
| Replaces | EU Standard Contractual Clauses for UK-origin transfers |
| Sister document | UK Addendum to the EU SCCs |
| When used | Restricted transfers to non-adequate countries |
| EU SCCs alone for UK data | Not valid |
| Companion requirement | Transfer Risk Assessment (TRA) |
| Format | Modular UK document with tables to complete |
| Typical use | Annexed to a data processing agreement |
Key terms
- IDTA
- The standalone UK contract that provides appropriate safeguards for restricted transfers of UK-origin personal data.
- EU SCCs
- The European Commission's Standard Contractual Clauses, drafted for the EU GDPR; not valid alone for UK-origin transfers.
- UK Addendum
- A short ICO document that adapts the EU SCCs to UK GDPR so they can cover UK-origin transfers.
What the IDTA contains
Answer: The IDTA is a modular UK document that records the parties, the data, the security measures and the obligations needed to give UK personal data appropriate safeguards abroad.
Rather than a set of numbered clauses imported from the EU, the IDTA is structured as tables the parties complete, plus standard terms. It captures who is exporting and importing, the categories of personal data, the purposes, the technical and organisational security measures, the rights available to data subjects, and the rules on enforcement, liability and termination. The result is a single self-contained agreement designed specifically for UK GDPR rather than adapted from another jurisdiction’s framework.
IDTA versus the EU SCCs
Answer: The IDTA is a UK instrument for UK GDPR; the EU SCCs are an EU instrument for EU GDPR, and they are not interchangeable for UK-origin data.
| Feature | UK IDTA | EU SCCs |
|---|---|---|
| Issuing body | UK ICO | European Commission |
| Governing regime | UK GDPR | EU GDPR |
| Valid alone for UK-origin transfers | Yes | No |
| Valid alone for EU-origin transfers | No | Yes |
| Structure | Tables plus standard terms | Modular clauses |
| UK route to reuse | N/A | Combine with the UK Addendum |
The practical point for UK businesses is that the EU SCCs cannot stand alone for UK-origin transfers. After Brexit, the UK created its own framework. A firm that operates across both the UK and the EU often holds both: the IDTA (or the Addendum) for UK data, and the EU SCCs for EU data.
The UK Addendum
Answer: The UK Addendum lets an organisation that already uses the EU SCCs cover its UK-origin transfers by bolting a short UK-specific document onto those clauses.
For multinationals that have standardised on the EU SCCs, executing a full IDTA for every UK flow can be redundant. The UK Addendum solves this: it adapts the EU SCCs to UK GDPR so the same underlying clauses can serve both regimes. The choice between the standalone IDTA and the EU SCCs plus the Addendum is largely operational; both deliver Article 46 safeguards. Our SCCs for Kenya guide sets out which option suits different UK firms.
Why the TRA still applies
The IDTA, or the Addendum, is necessary but not sufficient on its own. The ICO expects a Transfer Risk Assessment to confirm the chosen safeguard will be effective in practice in the destination country, taking account of local law and the data involved. The contract sets the obligations; the TRA tests whether they will hold up. This pairing is part of the broader UK GDPR outsourcing approach and the wider UK-Kenya compliance framework.
For the wider context, see our guide to outsourcing to Kenya and the kenya outsourcing rates overview.
Key Takeaways
- The IDTA is the UK’s post-Brexit instrument for restricted transfers of UK-origin personal data to non-adequate countries.
- It replaces the EU SCCs for UK-origin data; the EU SCCs are not valid alone for UK transfers.
- The UK Addendum lets firms already using the EU SCCs cover UK transfers without a full IDTA.
- Either route must be paired with a Transfer Risk Assessment.
Looking for a Kenya outsourcing partner?
If your data leaves the UK, a Kenya-based provider experienced with the IDTA and the UK Addendum can make the contractual side straightforward.
Find a Kenya Outsourcing Partner →
Frequently Asked Questions
What is the IDTA?
The International Data Transfer Agreement is the UK’s contractual instrument for legalising restricted transfers of UK-origin personal data to countries without a UK adequacy decision. It is the UK’s post-Brexit replacement for the EU Standard Contractual Clauses.
How does the IDTA differ from the EU SCCs?
The IDTA is a single UK document drafted for UK GDPR, while the EU SCCs are the EU instrument drafted for the EU GDPR. The EU SCCs are not valid on their own for UK-origin transfers; a UK firm uses the IDTA or the EU SCCs combined with the UK Addendum.
What is the UK Addendum?
The UK Addendum is a short document that adapts the EU Standard Contractual Clauses to UK GDPR. Organisations already using the EU SCCs can attach the UK Addendum to cover UK-origin transfers, rather than executing the full IDTA.
Does the IDTA require a Transfer Risk Assessment?
Yes. Whether you use the IDTA or the UK Addendum, the ICO expects a Transfer Risk Assessment to confirm the safeguards will be effective in the destination country before you rely on them.
Sources & References
- UK Information Commissioner’s Office, “International transfers and the IDTA,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
- Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
Published by Outsourcing.ke.
Further Reading
- IDTA Requirements for Kenya — applying the IDTA to a Kenya transfer
- SCCs vs the IDTA for Kenya — choosing the right tool
- UK GDPR When Outsourcing to Kenya — the full data-transfer workflow
- Employer of Record Kenya — EOR services for UK companies expanding to Kenya