Uk Transfer Mechanisms

• Part 1: Tables (completed by the parties to describe the transfer)
  • Table 1: Parties and Key Contacts
  • Table 2: Transfer Details (description, purpose, data categories, data subjects, frequency, retention)
  • Table 3: Technical and Organisational Security Measures (TFM Clauses)
  • Table 4: Extra Protection Clauses (supplementary measures addressing destination country risks)
• Part 2: Extra Protection Clauses (mandatory assessment of whether the destination country provides equivalent protection to UK GDPR)
• Part 3: Commercial Clauses (parties may add commercial terms in a linked agreement)
• Part 4: Mandatory Clauses (fixed text that cannot be amended)

Key features:

• Covers all four transfer relationship types (C2C, C2P, P2P, P2C) in a single document
• Requires a Transfer Risk Assessment (TRA) as part of Extra Protection Clauses
• Parties must review the IDTA when notified of a change affecting the transfer
• ICO retains the power to issue a revised IDTA at any time

UK Addendum to EU SCCs

The UK Addendum is an alternative to the IDTA that allows organisations already using EU SCCs (Commission Decision 2021/914) to extend those SCCs to cover UK GDPR-governed transfers by adding the Addendum.

Structure:

• Part 1: Tables
  • Table 1: Parties (references EU SCC Annex I.A)
  • Table 2: Selected SCCs, Modules, and Selected Clauses
  • Table 3: Appendix Information (references EU SCC Annexes I-III)
  • Table 4: Ending the Addendum When the Approved Addendum Changes
• Part 2: Mandatory Clauses of the Approved Addendum
• The Addendum incorporates the EU SCC text but replaces references to EU law with UK law references

When to use the Addendum vs. IDTA:

• Use the Addendum if EU SCCs are already executed and you want to extend coverage to UK transfers with minimal additional drafting
• Use the IDTA if the transfer is UK-only (no EU nexus) or if you prefer a standalone UK instrument
• Both instruments are equally valid under UK law

UK Adequacy Assessments

Countries with UK Adequacy Regulations

The UK Secretary of State has the power to make adequacy regulations under Section 17A of the Data Protection Act 2018. As of March 2026, the UK has adopted adequacy regulations for:

UK-US Data Bridge

The UK-US Data Bridge extends the DPF self-certification mechanism to UK-to-US transfers:

• US organisations self-certified to the DPF that also opt into the UK Extension are covered
• Verification: Check the DPF List at dataprivacyframework.gov and confirm the "UK Extension" is active
• Same principles and enforcement mechanisms as the EU-US DPF apply

ICO Transfer Risk Assessment (TRA)

The ICO has published a Transfer Risk Assessment tool to assist organisations in evaluating whether a transfer provides an essentially equivalent level of protection to that under UK law.

TRA Methodology

Step 1: Assess Whether a Restricted Transfer Is Taking Place

1. Confirm personal data is being transferred from the UK to a country outside the UK.
2. Confirm the destination country does not have UK adequacy regulations.
3. Confirm no exemption under Schedule 5 of the UK GDPR applies.

Step 2: Assess the Destination Country Legal Framework

Evaluate the destination country's laws and practices against four factors:

Step 3: Assess the Transfer-Specific Risk

Step 4: Determine Whether Additional Safeguards Are Needed

Based on the assessment, determine whether the IDTA or Addendum alone provides sufficient protection, or whether Extra Protection Clauses (supplementary measures) are needed.

Step 5: Document and Review

Document the TRA results and schedule periodic reviews (at least annually or upon trigger events).

IDTA Implementation at Athena Global Logistics

Table 1: Parties

Table 2: Transfer Details

Table 3: Security Measures

Reference to the Annex II measures from the EU SCC implementation (TLS 1.3, AES-256 encryption at rest, RBAC with MFA, centralised SIEM, ISO 27001-certified facilities).

Table 4: Extra Protection Clauses

Extra Protection Clauses mirror the supplementary measures identified in TIA-2025-HK-001:

• End-to-end encryption for archived data with UK-held keys
• Contractual obligation to challenge disproportionate government requests
• 48-hour government access notification
• Annual audit rights
• Warrant canary
• Named-personnel access restriction

Dual EU-UK Transfer Management

For organisations like Athena Global Logistics that transfer data under both EU GDPR and UK GDPR, the recommended approach is:

1. EU transfers: Use EU SCCs (Commission Decision 2021/914) with EU TIA
2. UK transfers: Use UK Addendum to the EU SCCs (appended to the same SCC instrument)
3. Combined document: A single contractual package comprising the EU SCCs + UK Addendum covers both regimes
4. Separate TIAs: The EU TIA and UK TRA may reach different conclusions due to different legal standards; document both
5. Register: Maintain separate transfer register entries for EU-governed and UK-governed transfers to the same importer