SCCs vs the IDTA for Kenya Data Transfers

Standard Contractual Clauses (SCCs) are model data-protection clauses used to legalise restricted transfers of personal data. The catch for UK businesses is that the EU SCCs are not valid on their own for UK-origin transfers to Kenya. After Brexit, the UK introduced its own instrument, the International Data Transfer Agreement (IDTA), and a UK Addendum that adapts the EU clauses. This guide sets out the difference, why it matters, and which option a UK firm should use when sending data to a Kenyan partner. For the instrument itself, see the IDTA explained.

Key Facts

Item	Position for UK-Kenya transfers
UK adequacy decision for Kenya	None
EU SCCs alone for UK data	Not valid
Valid UK options	IDTA, or EU SCCs plus the UK Addendum
Legal basis	UK GDPR Article 46
UK regulator	Information Commissioner’s Office (ICO)
Kenya regulator	Office of the Data Protection Commissioner (ODPC)
Kenya law	Data Protection Act 2019 (GDPR-aligned)
Companion requirement	Transfer Risk Assessment (TRA)
Typical UK-only choice	Standalone IDTA
Typical multinational choice	EU SCCs plus UK Addendum

Key terms

EU SCCs: The European Commission's Standard Contractual Clauses, drafted for the EU GDPR; not valid alone for UK-origin transfers.
IDTA: The UK International Data Transfer Agreement, the standalone UK contract for restricted transfers of UK-origin data.
UK Addendum: A short ICO document that adapts the EU SCCs to UK GDPR so they can cover UK-origin transfers.

Why the EU SCCs are not enough for UK data

Answer: The EU SCCs were drafted under the EU GDPR, and after Brexit the UK requires its own recognised safeguard, so the EU SCCs alone do not satisfy UK GDPR for a UK-origin transfer.

Before Brexit, a UK business could rely on the EU SCCs because the UK was inside the EU GDPR regime. That changed. The UK now operates UK GDPR and expects UK-origin transfers to non-adequate countries to use a UK-recognised tool. Kenya has no UK adequacy decision, so a transfer of UK-origin personal data needs an Article 46 safeguard issued for UK GDPR. Continuing to rely on the bare EU SCCs leaves a gap the ICO can challenge.

The two valid options

Answer: A UK firm uses either the standalone IDTA or the EU SCCs combined with the UK Addendum; both deliver Article 46 safeguards.

Option	How it works	Best suited to
Standalone IDTA	A single UK document completed for the transfer	UK-only businesses
EU SCCs + UK Addendum	EU clauses adapted to UK GDPR by a short addendum	Firms already using the EU SCCs for EU data

The choice is largely operational. A purely UK business sending data to Kenya often finds the standalone IDTA simplest. A multinational that has already standardised on the EU SCCs for its EU flows can bolt on the UK Addendum rather than maintain two unrelated contracts. Either way, the substantive protections for the data subject are equivalent. The detailed application to a Kenyan transfer is covered in the IDTA for Kenya guide.

The Transfer Risk Assessment still applies

Answer: Neither option removes the need for a Transfer Risk Assessment; the ICO expects one before reliance.

A contract sets obligations; a Transfer Risk Assessment (TRA) tests whether those obligations will be effective in Kenya in practice. Whichever tool you pick, you must document the assessment, considering local law and the nature of the data. This pairing of safeguard plus TRA is the heart of compliant cross-border transfer and is set out in full in the UK GDPR outsourcing guide. Kenya’s own Data Protection Act 2019 is GDPR-aligned, which supports the TRA conclusion but does not replace the UK exporter’s duty.

How this fits the framework

Choosing the right transfer tool is one part of the data-protection pillar within the UK-Kenya compliance framework. The other pillars, Permanent Establishment risk, employment law and payroll, are handled separately. For data, the rule of thumb is simple: do not rely on the EU SCCs alone, use the IDTA or the Addendum, and back it with a TRA.

Key Takeaways

The EU SCCs are not valid on their own for UK-origin transfers to Kenya.
UK firms must use the IDTA, or the EU SCCs combined with the UK Addendum.
The standalone IDTA suits UK-only firms; the Addendum suits firms already using the EU SCCs.
Both options require a Transfer Risk Assessment before reliance.

Looking for a Kenya outsourcing partner?

A Kenyan provider familiar with both the IDTA and the UK Addendum can sign the right transfer tool and support your Transfer Risk Assessment without delay.

Find a Kenya Outsourcing Partner →

Frequently Asked Questions

Can UK firms use the EU SCCs for Kenya transfers?

Not on their own. The EU Standard Contractual Clauses are not valid for UK-origin transfers. A UK firm must use the UK IDTA, or the EU SCCs combined with the UK Addendum, for personal data going to Kenya.

Why are the EU SCCs not enough for UK data?

The EU SCCs were drafted for the EU GDPR. After Brexit, the UK created its own framework. UK-origin transfers need a UK-recognised safeguard, which is the IDTA or the EU SCCs with the UK Addendum bolted on.

Which tool should a UK firm choose for Kenya?

A UK-only business often uses the standalone IDTA. A firm already standardised on the EU SCCs for EU data can add the UK Addendum to cover UK transfers. Both deliver Article 46 safeguards and both need a Transfer Risk Assessment.

Does either option remove the need for a Transfer Risk Assessment?

No. Whether you use the IDTA or the EU SCCs with the UK Addendum, the ICO expects a Transfer Risk Assessment to confirm the safeguards will be effective in Kenya before you rely on them.

Sources & References

UK Information Commissioner’s Office, “International transfers and the IDTA,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/

Published by Outsourcing.ke.