What are standard data protection clauses (the UK IDTA and the Addendum)?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- What are standard data protection clauses?
- What standard data protection clauses are available under the UK GDPR?
- Should we use the IDTA or Addendum?
- Who should complete the IDTA or Addendum?
- How do we complete the IDTA?
- Can we amend the text of the IDTA?
- Can we incorporate the IDTA by reference?
- Can we incorporate the IDTA into a commercial contract?
- Will the ICO be issuing further guidance on the IDTA?
- How do we complete the Addendum?
- Can we amend the text of the Addendum?
- Can we incorporate the Addendum by reference?
- Will the ICO be issuing further guidance on the Addendum?
- Will the IDTA and Addendum be updated to reflect the Data (Use and Access) Act coming into effect?
What are standard data protection clauses?
Standard data protection clauses are contract clauses that we, or the UK government, have pre-approved for you to use as a safeguard under the UK GDPR.
Standard data protection clauses impose contractual obligations on the sender and the receiver, and grant rights to the people the transferred information is about.
This ensures that the personal information continues to benefit from a high level of protection when you transfer it outside the UK.
You can make a restricted transfer if:
- you and the receiver enter into a contract that incorporates standard data protection clauses following any instructions included within those clauses); and
- you complete a TRA to make sure the standard of protection for people’s information is not materially lower once after you transfer it.
What standard data protection clauses are available under the UK GDPR?
The ICO has issued two sets of standard data protection clauses for restricted transfers which you can use as your safeguard:
- The International data transfer agreement (IDTA)
- The International data transfer addendum (Addendum)
The Addendum is an addendum to the standard contractual clauses the European Commission issued under the EU GDPR on 4 June 2021 (the EU SCCs). The EU SCCs are not valid on their own for restricted transfers under the UK GDPR. However, using the Addendum lets you rely on the EU SCCs for your restricted transfers under the UK GDPR.
Documentation:
- International data transfer agreement (PDF)
- International data transfer agreement (Word document)
- International data transfer addendum to the European Commission standard contractual clauses (PDF)
- International data transfer addendum to the European Commission standard contractual clauses (Word document)
Example
A family in the UK books a holiday in Australia with a UK travel company. The UK travel company sends details of the booking to the Australian hotel.
The travel company and the hotel are separate controllers, as they’re each processing the personal information for their own purposes and making their own decisions about it.
As the restricted transfer is not covered by adequacy regulations or an exception, the travel company can only make the transfer if it relies on appropriate safeguards.
The UK travel company and the hotel could enter into the IDTA or the Addendum.
The UK travel company must also complete a TRA and put in place any extra steps or protections required to make sure the data protection test is met.
The IDTA or Addendum and the TRA may cover all similar restricted transfers between the UK travel company and the Australian hotel, and not just the transfer of one family’s information.
Should we use the IDTA or Addendum?
You can choose either the IDTA or the Addendum to make a restricted transfer.
The Addendum may appeal to you if you:
- operate in both the UK and the EEA; and
- already use the EU SCCs for your European data flows (under the EU GDPR).
Or, the organisation receiving the information may already use the EU SCCs, so it could be quicker for them to sign up to the Addendum.
You can still use the Addendum with the EU SCCs if you only operate under the UK GDPR (ie you don’t have to be transferring information under the EU GDPR).
Who should complete the IDTA or Addendum?
You might enter into the IDTA or Addendum with the receiving organisation alongside your commercial contract.
The IDTA and Addendum require that both you and the receiving organisation ensure the details contained in the agreement are correct, and you must both comply with its contractual obligations.
How do we complete the IDTA?
The IDTA is made up of four parts:
- Part 1: Tables
- Part 2: Extra Protection Clauses
- Part 3: Commercial Clauses
- Part 4: Mandatory Clauses
You must always complete the Tables in Part 1. These require you to detail:
- the parties to the IDTA;
- the transfer details;
- the information you’re going to transfer; and
- the security requirements.
You can choose to complete Parts 2 and 3 – they’re optional.
- Part 2 allows you to include additional clauses which provide extra protections. For example, you could add a clause to provide additional technical security protections.
- Part 3 allows you to include additional commercial clauses. For example, if you’re making a restricted transfer to a processor, you could add in the clauses required by article 28 of the UK GDPR.
You must include Part 4 in your IDTA because this part sets out the mandatory clauses.
Can we amend the text of the IDTA?
You don’t need to use the specific format of the tables in Parts 1, 2 and 3, so long as you still set out the information required by those parts in your contract documentation.
You can only make minor amendments to Part 4 Mandatory Clauses under the specific circumstances set out in Part 4 Section 5 (Changing this IDTA). You must not make any changes that reduce the level of protection.
The IDTA is no longer a safeguard under the UK GDPR if:
- you don’t provide the information required by Part 1;
- you change the text of Part 4 Mandatory Clauses beyond what Section 5 allows; or
- both of the above apply.
If you make significant changes to Part 4 Mandatory Clauses, you could ask us to specifically approve your amended IDTA or Addendum as a safeguard (see What are contractual clauses authorised by the ICO?).
Can we incorporate the IDTA by reference?
You could incorporate the Part 4 Mandatory Clauses into your IDTA by reference only (so you don’t need to write them out in full). If you choose to do this, you must include the text set out in the “Alternative Part 4 Mandatory Clauses”. That namely is:
“Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.”
Can we incorporate the IDTA into a commercial contract?
You could incorporate the IDTA into a commercial contract, as long as:
- you fill in Tables 1, 2 and 3, or the commercial contract provides the information they require; and
- your main contract:
- does not amend the Part 4 Mandatory Clauses beyond what Section 5 (Changing this IDTA) allows; and
- does not reduce the protections in the IDTA.
Will the ICO be issuing further guidance on the IDTA?
We’ll be providing further clause-by-clause guidance when the IDTA is updated. We'll do this following the implementation of the amendments introduced by the DUAA.
How do we complete the Addendum?
The Addendum is made up of two parts:
- Part 1: Tables
- Part 2: Mandatory Clauses
You must always complete the Tables in Part 1. Part 1 requires you to detail:
- the parties to the IDTA;
- which EU SCCs, modules and clauses you want to apply;
- information to fill out the EU SCCs appendices; and
- which parties may end the Addendum when the approved Addendum changes.
You must include Part 2 in your Addendum because this part sets out the mandatory clauses.
Can we amend the text of the Addendum?
You can only make minor amendments to the Addendum as set out in Sections 16 and 17 of Part 2. You can only change the approved EU SCCs to meet the requirements of Section 12 of the Addendum.
Can we incorporate the Addendum by reference?
You may enter into the Addendum in any way that:
- makes it legally binding on both you and the receiver; and
- allows people the transferred information is about to enforce their rights as set out in the Addendum.
You could incorporate the Part 2 Mandatory Clauses into your contract by reference only (so you don’t need to set them out in full). If so, you must include the text set out in the “Alternative Part 2 Mandatory Clauses”. That is:
“Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.”
Will the ICO be issuing further guidance on the Addendum?
We’ll be providing further clause-by-clause guidance when the Addendum is updated. We'll do this following the implementation of the amendments introduced by the DUAA.
Will the IDTA and Addendum be updated to reflect the DUAA coming into effect?
We plan to update the IDTA and Addendum in the course of 2026. You should continue to use the current versions.
You and the receiver of the restricted transfer can choose for your IDTA or Addendum to automatically update when we issue a new version. This is set out in Section 5.4 of the IDTA and Section 18 of the Addendum.