Personal Data Transfer Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Personal Data Transfer Agreement?

Personal Data Transfer Agreements have become essential in today's data-driven business environment, particularly under U.S. privacy regulations. These agreements are necessary when organizations need to share personal data with third parties, whether domestically or internationally. A Personal Data Transfer Agreement outlines specific obligations, security measures, and compliance requirements to protect data subjects' rights and ensure lawful data processing. It addresses key U.S. regulatory requirements while potentially incorporating international standards when needed.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Personal Data Transfer Agreement

When your organization needs to share personal data with third parties, a Personal Data Transfer Agreement provides the legal foundation to ensure compliance with United States privacy laws. This comprehensive document establishes clear obligations between data exporters and importers, protecting both your business interests and data subjects' rights under federal and state regulations.

When do you need this document?

You need a Personal Data Transfer Agreement whenever your business shares personal information with external parties, including vendors, partners, subsidiaries, or service providers. This includes scenarios such as outsourcing customer service operations to third-party call centers, sharing employee data with payroll processors, transferring patient information to healthcare partners under HIPAA, or providing customer data to marketing agencies. The agreement is particularly crucial for businesses operating across state lines, as different states like California have specific requirements under CCPA and CPRA. Financial institutions must use these agreements when sharing consumer data under GLBA requirements, while companies handling children's information need compliance with COPPA standards.

Key legal considerations

Your Personal Data Transfer Agreement must clearly define the purpose and scope of data sharing, specifying exactly what types of personal information will be transferred and for what legitimate business purposes. The document should establish comprehensive security measures, including encryption standards, access controls, and breach notification procedures that both parties must implement. Data retention and deletion obligations are critical, outlining how long the data importer can retain information and requiring secure disposal when no longer needed. The agreement must address data subject rights, ensuring individuals can exercise their rights to access, correct, or delete their personal information even after transfer. Include provisions for regular audits and compliance monitoring, allowing the data exporter to verify the importer's adherence to agreed-upon standards. Consider liability allocation and indemnification clauses to protect against potential data breaches or regulatory violations.

Legal requirements in United States

Under federal law, your agreement must comply with FTC Act Section 5 provisions prohibiting unfair or deceptive data practices. Healthcare organizations must ensure transfers meet HIPAA's minimum necessary standards and include appropriate Business Associate Agreement provisions when applicable. Financial institutions must incorporate GLBA safeguarding requirements, ensuring customer financial information receives adequate protection during transfer. For businesses handling children's data, COPPA compliance requires parental consent verification and special protections for users under 13. California businesses must address CCPA and CPRA requirements, including consumer rights disclosures and opt-out mechanisms for data sales. When transferring data internationally, consider incorporating Standard Contractual Clauses or ensuring adequacy decisions exist for destination countries. State-specific requirements may apply depending on your business location and the types of personal data involved, making it essential to review applicable state privacy laws and sector-specific regulations.

GOVERNING LAW

Applicable law

This Personal Data Transfer Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act Section 5: Federal Trade Commission Act provisions regarding unfair or deceptive practices in data handling and privacy

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - comprehensive state privacy laws affecting businesses handling California residents' data

GLBA: Gramm-Leach-Bliley Act - federal law governing the collection, use, and protection of consumers' financial information

HIPAA: Health Insurance Portability and Accountability Act - federal law protecting sensitive patient health information

COPPA: Children's Online Privacy Protection Act - federal law imposing requirements on operators of websites/online services regarding children under 13

GDPR: EU General Data Protection Regulation - comprehensive privacy regulation affecting data transfers involving EU residents

EU-US Data Privacy Framework: Framework governing transatlantic data transfers between the EU and US

Standard Contractual Clauses: Standardized contractual terms approved by EU authorities for international data transfers

VCDPA: Virginia Consumer Data Protection Act - comprehensive state privacy law in Virginia

Colorado Privacy Act: Comprehensive state privacy law in Colorado governing the collection and use of personal data

Utah Consumer Privacy Act: Utah's comprehensive privacy legislation protecting consumer data rights

Connecticut Data Privacy Act: Connecticut's comprehensive privacy law governing personal data protection

PCI DSS: Payment Card Industry Data Security Standard - security standards for organizations handling credit card information

SOC 2: Service Organization Control 2 - compliance framework for managing customer data based on security, availability, processing integrity, confidentiality, and privacy

ISO 27001: International standard for information security management systems and protecting personal information

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it