Cross-Border Data Transfer Agreement

CROSS-BORDER DATA TRANSFER AGREEMENT

Table of Contents

1. Parties
2. Definitions
3. Scope of Data Transfers
4. Transfer Mechanism
5. Transfer Impact Assessment
6. Technical and Organizational Measures
7. Data Subject Rights
8. Sub-Processing
9. Government Access and Disclosure
10. General Provisions

ARTICLE I: PARTIES

Effective Date: [__/__/____]

DATA EXPORTER:
Company Name: [________________________________]
Jurisdiction: [________________________________]
Address: [________________________________]
City: [________________________________] Country: [________________________________]
Data Protection Officer (DPO): [________________________________]
Email: [________________________________]

DATA IMPORTER:
Company Name: [________________________________]
Jurisdiction: [________________________________]
Address: [________________________________]
City: [________________________________] Country: [________________________________]
Data Protection Officer/Privacy Contact: [________________________________]
Email: [________________________________]

Role Classification:

Data Exporter is a: ☐ Controller ☐ Processor
Data Importer is a: ☐ Controller ☐ Processor

Applicable SCC Module (if using EU SCCs):
☐ Module 1: Controller to Controller (C2C)
☐ Module 2: Controller to Processor (C2P)
☐ Module 3: Processor to Processor (P2P)
☐ Module 4: Processor to Controller (P2C)

ARTICLE II: DEFINITIONS

"Personal Data": Any information relating to an identified or identifiable natural person (data subject), as defined in GDPR Art. 4(1) and applicable data protection laws.

"Special Categories of Data": Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation (GDPR Art. 9).

"Transfer": Any disclosure, transmission, or making available of Personal Data from the Data Exporter to the Data Importer, whether by electronic transmission, physical transfer, or granting access.

"Applicable Data Protection Law": All data protection and privacy laws applicable to the processing and transfer of Personal Data under this Agreement, including but not limited to GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPL, and local implementing legislation.

"Standard Contractual Clauses" (SCCs): The standard contractual clauses adopted by the European Commission pursuant to Decision 2021/914 of 4 June 2021, as may be amended or replaced.

"Supplementary Measures": Additional technical, organizational, or contractual safeguards implemented to supplement the SCCs.

ARTICLE III: SCOPE OF DATA TRANSFERS

A. Description of Transfers

Purpose of Transfer: [________________________________]

Categories of Data Subjects:
☐ Employees/staff
☐ Customers/clients
☐ Vendors/suppliers
☐ Website visitors
☐ Patients/healthcare consumers
☐ Other: [________________________________]

Categories of Personal Data:
☐ Name, contact information
☐ Employment information
☐ Financial/payment data
☐ Technical data (IP addresses, cookies, device identifiers)
☐ Location data
☐ Health data
☐ Biometric data
☐ Other: [________________________________]

Special Categories of Data Transferred:
☐ None
☐ Yes — Categories: [________________________________]

Frequency of Transfer:
☐ Continuous/ongoing
☐ Periodic — Frequency: [________________________________]
☐ One-time transfer

Retention Period: [________________________________]

B. Countries Involved

Country of Data Exporter: [________________________________]
Country of Data Importer: [________________________________]
Adequacy Status of Importer's Country (per EU Commission): ☐ Adequate ☐ Not adequate ☐ Partial (e.g., DPF)

ARTICLE IV: TRANSFER MECHANISM

A. Legal Basis for Transfer

Select the applicable transfer mechanism under GDPR Art. 46-49:

☐ Adequacy Decision (Art. 45) — Importer's country recognized as adequate
Decision Reference: [________________________________]

☐ EU-US Data Privacy Framework — Importer is DPF-certified
DPF Certification Number: [________________________________]
Certification verified at: https://www.dataprivacyframework.gov

☐ Standard Contractual Clauses (Art. 46(2)(c)) — Appended as Exhibit A
Module(s) selected: [________________________________]
Governing law of SCCs (Clause 17): [________________________________]
Competent supervisory authority (Clause 13): [________________________________]

☐ Binding Corporate Rules (Art. 47) — Approved BCRs on file
BCR Reference: [________________________________]

☐ Derogation (Art. 49) — Explicit consent / Contractual necessity / Public interest
Specific basis: [________________________________]

B. UK Transfers

☐ UK IDTA (International Data Transfer Agreement) appended as Exhibit B
☐ UK Addendum to EU SCCs appended as Exhibit B
☐ Not applicable — Transfer does not involve UK personal data

C. Other Jurisdictions

☐ Brazil (LGPD): Transfer mechanism: [________________________________]
☐ China (PIPL): Transfer mechanism: [________________________________]
☐ Other: [________________________________]

ARTICLE V: TRANSFER IMPACT ASSESSMENT

A. TIA Completed

☐ Yes — Date: [__/__/____] — Summary attached as Exhibit C
☐ In progress — Expected completion: [__/__/____]

B. Assessment of Importer's Legal Framework

Laws assessed:
☐ Government surveillance/access laws
☐ National security laws
☐ Law enforcement access provisions
☐ Data localization requirements
☐ Judicial redress mechanisms available to data subjects

Conclusion:
☐ Importer's legal framework provides essentially equivalent protection — SCCs sufficient
☐ Supplementary measures required (see Article VI)
☐ Transfer should not proceed — inadequate protection

C. Ongoing Monitoring

The Data Importer shall promptly notify Data Exporter of any changes in the legal framework that may affect the protections provided, including new legislation, court decisions, or government access requests.

ARTICLE VI: TECHNICAL AND ORGANIZATIONAL MEASURES

A. Security Measures

Data Importer shall implement the following measures (Annex II to SCCs):

☐ Encryption of data in transit (TLS 1.2 or higher)
☐ Encryption of data at rest (AES-256 or equivalent)
☐ Pseudonymization where feasible
☐ Access controls and authentication (MFA required)
☐ Regular security testing and vulnerability assessments
☐ Incident response and breach notification procedures
☐ Employee training on data protection
☐ Physical security measures for data processing facilities
☐ Business continuity and disaster recovery procedures
☐ Data minimization practices

B. Supplementary Measures (if required by TIA)

☐ End-to-end encryption preventing importer access to plaintext
☐ Split processing across jurisdictions
☐ Additional contractual commitments regarding government access
☐ Transparency reporting regarding government requests
☐ Other: [________________________________]

ARTICLE VII: DATA SUBJECT RIGHTS

Data Importer shall assist Data Exporter in responding to data subject requests, including:

☐ Right of access (GDPR Art. 15)
☐ Right to rectification (Art. 16)
☐ Right to erasure (Art. 17)
☐ Right to restriction of processing (Art. 18)
☐ Right to data portability (Art. 20)
☐ Right to object (Art. 21)
☐ Rights related to automated decision-making (Art. 22)

Response timeline: Data Importer shall respond to Data Exporter's requests within [____] business days.

ARTICLE VIII: SUB-PROCESSING

☐ Data Importer may not engage sub-processors without Data Exporter's prior written consent
☐ Data Importer may engage sub-processors listed in Exhibit D, with [____] days' prior notice for changes
☐ General authorization granted, with [____] days' prior notice and right to object

Current Sub-Processors:

ARTICLE IX: GOVERNMENT ACCESS AND DISCLOSURE

A. Transparency Commitment

Data Importer warrants that:

☐ It has not received any government order or request for access to personal data transferred under this Agreement (or if it has, details are provided in Exhibit E)

☐ It has not been required to create any "back door" or similar access mechanism

☐ It will promptly notify Data Exporter of any government request for access to transferred data, to the extent legally permitted

B. Challenge Obligation

If Data Importer receives a legally binding request for access to transferred data, it shall:

☐ Assess the legality of the request under applicable law
☐ Challenge the request if there are reasonable grounds to consider it unlawful
☐ Provide the minimum amount of information necessary if compelled to disclose
☐ Notify Data Exporter as soon as legally permitted

ARTICLE X: GENERAL PROVISIONS

Term: This Agreement shall remain in effect for the duration of the data transfers and for [____] years thereafter with respect to data already transferred.

Breach and Termination: Data Exporter may suspend or terminate data transfers if Data Importer breaches this Agreement or if the legal framework of the importer's country no longer provides adequate protection.

Liability: As set forth in the applicable SCCs and governing law.

Governing Law: [________________________________]

Supervisory Authority: [________________________________]

Audit Rights: Data Exporter (or its authorized auditor) may conduct audits of Data Importer's compliance upon [____] days' written notice, no more than [____] times per year.

Entire Agreement: This Agreement, together with the appended SCCs and Exhibits, constitutes the entire agreement regarding cross-border data transfers.

EXHIBITS

☐ Exhibit A: EU Standard Contractual Clauses (Commission Decision 2021/914) — [ATTACH VERBATIM]
☐ Exhibit B: UK International Data Transfer Agreement or UK Addendum (if applicable)
☐ Exhibit C: Transfer Impact Assessment Summary
☐ Exhibit D: List of Approved Sub-Processors
☐ Exhibit E: Government Access Requests Log (if any)

SIGNATURES

DATA EXPORTER:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]

DATA IMPORTER:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]

SOURCES AND REFERENCES

• GDPR, Arts. 44–49, https://eur-lex.europa.eu/eli/reg/2016/679/oj
• European Commission, Standard Contractual Clauses (Decision 2021/914), https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
• EU-US Data Privacy Framework, https://www.dataprivacyframework.gov
• EDPB, Recommendations 01/2020 on Supplementary Measures (June 2021)
• CJEU, Schrems II (Case C-311/18, July 16, 2020)
• UK ICO, International Data Transfer Agreement (IDTA), https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/