Intercompany Data Transfer Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Intercompany Data Transfer Agreement?

The Intercompany Data Transfer Agreement is essential when companies need to share personal data between different legal entities within their corporate structure. This document becomes necessary when organizations operate across multiple jurisdictions within the United States or internationally and need to ensure compliant data transfers. It addresses requirements under US federal and state privacy laws, including CCPA, HIPAA, and other sector-specific regulations, while also considering international data protection requirements where applicable. The agreement provides a framework for maintaining data protection standards and defining responsibilities between affiliated companies.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Intercompany Data Transfer Agreement

An Intercompany Data Transfer Agreement is a specialized legal contract that governs how personal data moves between different entities within the same corporate family. When your organization operates multiple subsidiaries, divisions, or affiliated companies, this agreement ensures that data sharing complies with United States privacy laws and maintains consistent protection standards across your corporate structure.

When do you need this document?

You need an Intercompany Data Transfer Agreement whenever your business shares personal data between affiliated entities operating under different legal structures or in different states. This includes situations where your parent company needs to share employee records with subsidiaries, when consolidating customer databases across divisions, or when centralizing data processing operations. The agreement becomes particularly important if your data transfers involve entities in different jurisdictions with varying privacy requirements, such as moving data between a California-based subsidiary subject to CCPA and entities in other states with different privacy frameworks.

Key legal considerations

Several critical elements must be addressed in your agreement to ensure legal compliance and operational effectiveness. Data mapping and classification requirements help identify what types of personal information will be transferred and the lawful basis for processing. Security safeguards and technical measures must be specified to protect data during transmission and storage, including encryption standards and access controls. The agreement should clearly define each party's responsibilities as data controller or processor, establish data retention and deletion procedures, and include breach notification protocols. Additionally, you must address data subject rights, such as access, correction, and deletion requests, ensuring these rights can be exercised regardless of where the data resides within your corporate structure.

Legal requirements in United States

Under United States law, intercompany data transfers must comply with multiple federal and state regulations depending on the data type and industry involved. HIPAA requirements apply to healthcare data transfers, while GLBA governs financial information sharing between affiliated financial institutions. For companies handling children's data, COPPA compliance is mandatory, and educational institutions must adhere to FERPA requirements. State-level privacy laws like the California Consumer Privacy Act (CCPA) impose additional obligations for data transfers involving California residents' information. The Federal Trade Commission Act requires that data handling practices align with published privacy policies and avoid deceptive practices. If your transfers involve international data or EU residents' information, GDPR compliance may also be required, necessitating additional safeguards such as Standard Contractual Clauses or adequacy determinations. Companies must also consider sector-specific regulations and ensure their agreements address cybersecurity requirements under applicable state breach notification laws.

GOVERNING LAW

Applicable law

This Intercompany Data Transfer Agreement is drafted to comply with United States law. Key legislation includes:

GDPR Compliance: Consider European Union General Data Protection Regulation requirements if EU data is involved in the transfer

Privacy Shield Framework: Principles governing international data transfers and privacy protection standards

FTC Act Section 5: Federal Trade Commission Act provisions regarding unfair or deceptive practices affecting commerce, including data privacy

CFAA: Computer Fraud and Abuse Act requirements regarding unauthorized access and computer security

HIPAA: Health Insurance Portability and Accountability Act requirements for healthcare data protection

GLBA: Gramm-Leach-Bliley Act requirements for financial data protection

FERPA: Family Educational Rights and Privacy Act requirements for educational data protection

COPPA: Children's Online Privacy Protection Act requirements for processing children's data

CCPA: California Consumer Privacy Act requirements for processing California residents' data

VCDPA: Virginia Consumer Data Protection Act requirements for processing Virginia residents' data

Colorado Privacy Act: Requirements for processing Colorado residents' personal data

Data Localization: Requirements regarding where data must be stored and processed physically

Data Breach Notifications: Requirements for notifying affected parties and authorities in case of data breaches

Standard Contractual Clauses: Pre-approved contractual language for international data transfers

Binding Corporate Rules: Internal rules for international data transfers within multinational companies

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it