Data Transfer Agreement

A contract governing how personal data is transferred between parties, particularly for international transfers requiring contractual safeguards. Data transfer agreements can be Standard Contractual Clauses (pre-approved by regulators), custom contracts incorporating required provisions, or addenda to broader service agreements addressing transfer-specific requirements. These agreements typically specify the parties' roles (controller/processor), describe the data and processing, establish data protection obligations, address security requirements, include breach notification provisions, grant audit rights, address sub-transfers, specify data return or deletion, and include termination provisions. Post-Schrems II, transfer agreements increasingly need supplementary measures addressing government access risks in destination countries. Organizations should maintain executed transfer agreements for all international data flows, conduct transfer impact assessments, monitor regulatory guidance on transfers, and review agreements when circumstances change.