Skip to main content
Home

Call for Views on International Transfers Guidance: Summary of Responses

Introduction 

Last year we committed to publishing new and updated guidance on international transfers, making it quicker and easier for businesses to transfer personal information safely.   

Between 26 June and 7 August 2025, we ran a 6-week call for views seeking views on our current international transfers guidance to enable us to make changes to meet the needs of UK organisations. Our aim is to make our guidance as clear, practical and accessible as possible.  

We received 33 responses to the call for views. Nine responses represented legal and compliance practitioners or law firms who advise organisations on their international transfers under UK GDPR. 11 responses were from small or medium-sized enterprises. We also held two verbal engagements arranged at the request of two stakeholder groups. We thank everyone who took the time to share their views with us. 

About the call for views 

Respondents welcomed our consultation and commitment to further work in this area. Respondents generally indicated they’re grateful the guidance exists, and consider it a useful resource.  

One response described the current guidance as ‘an excellent starting point’. There was support overall for our pragmatic approach, noting that it provides structure and confidence when selecting transfer mechanisms or relying on exceptions. 

Some, especially the consolidated responses from law firms and industry bodies, were rich with insights and practical suggestions about what would make international transfers easier for their clients and members. 

The most frequently mentioned aspects of international transfers in responses were: 

  • identifying restricted transfers; 
  • completing transfer risk assessments (TRAs); 
  • cloud and supply chain scenarios; and  
  • navigating multi-jurisdictional responsibilities.  

A common observation running through responses was that our current guidance and examples don’t always fully reflect the complex reality of international transfers. 

Respondents asked for clearer indexing, tools to simplify documentation and decision-making, and more practical, scenario-based examples. 

Key themes

We’ve categorised the feedback we received into eight themes. We’ve  summarised and provided our response to each of these below.   

1. Navigation, organisation and clarity 

Over half of respondents told us they find it difficult to find the information they need in the current transfers guidance.  

A similar number either didn’t agree or weren’t sure if the guidance is clear and easy to understand, with some citing issues with navigation as a contributing factor.  

Some respondents felt the guidance is written for an expert audience already familiar with the transfer rules.   

ICO response

We recognise our transfers guidance was not as easy to navigate as we’d like. We’ve therefore broken content down into separate thematic chapters and developed indexing to improve both navigation and the user experience within chapters.   

We’ve made clear what organisations must, should and could do to comply with data protection legislation. We’ve also reviewed the language we use and created a Glossary to make the guidance accessible to a wider audience.  

A new Brief guide and Quick reference FAQs will also support users who don’t have specialist knowledge or experience of making international transfers.    

2. Understanding what a restricted transfer is 

Over a third of respondents expressed uncertainty or confusion about what a ‘restricted transfer’ is. Some respondents specifically referenced their use of cloud services with an ask for guidance about what restricted transfers they may be making in this context.   

There were also requests for clarification around: 

  • returning personal information to an overseas controller; 
  • the relevance of the physical location of personal information (versus the contractual location, including when information doesn’t leave the UK); and  
  • on making information accessible (versus sending it).  
ICO response 

Our updated guidance significantly expands the explanation of what an international transfer of personal information is. We’ve set out our ‘three step test’ to help readers decide if they’re making a restricted transfer.  

We’ve provided further clarification on what is and isn’t a restricted transfer in common scenarios which reflect the reality of global transfers. We’ve provided more examples to help illustrate this.  

We’ve also suggested practical steps organisations can take to help them decide whether they’re making a restricted transfer. We’re developing an interactive tool to help with this decision-making. We hope to launch this in the spring.   

3. Roles and responsibilities 

Respondents asked us to address the complexities of layered transfer chains, citing issues such as:  

  • data residency;  
  • shared responsibilities; and  
  • obligations under contracts with third-party providers.   

Some respondents asked for guidance on due diligence and the ICO’s expectations throughout the contract chain, eg for processor-initiated onward transfers.  

There were also calls for clearer guidance on roles and responsibilities in completing transfer risk assessments (TRAs) given the practical challenges organisations face.

ICO response 

Our updated guidance includes new content to support organisations with their obligations, including: 

  • deciding if they’re responsible for complying with the transfer rules; 
  • the kind of checks they should make if they’re initiating a restricted transfer to a controller or to a processor; and 
  • what other key responsibilities they have (either as a controller or a processor) in the context of international transfers.

4. Transfer risk assessments (TRAs)  

There was wide support for the ICO’s pragmatic approach to TRAs. However, responses commonly expressed the view that our TRA tool is lengthy and resource intensive. Relatedly, there was a call for completed TRAs of real-world scenarios to help organisations complete their own documentation.  

We received detailed feedback on the tool. This included suggestions on how we could: 

  • streamline it (especially for low-risk transfers); and  
  • improve the user experience (eg more easily editable templates).  

We also received requests for country-specific risk profiles, or guidance on countries the ICO considers high risk. Responses requesting country information often cited the cost of procuring country-specific legal advice where open source information isn’t readily available. 

Several responses noted the introduction of the ‘data protection test’ in the Data (Use and Access) Act and asked for clarification on whether this changes our TRA methodology.  

ICO response 

We’ve restructured and expanded our TRA guidance in the following ways:

  • We have a specific chapter on Completing a TRA that is clearly listed on the International transfers guidance landing page. 
  • We’ve clarified that our TRA approach and the data protection test are compatible. The aim remains the same: to ensure that the standard of protection for people is not undermined once their personal information has transferred. 
  • We’ve provided additional content on the most frequently asked questions we receive. 

We’re committed to further refining our TRA tool. We need time to consider what this might look like. We’ll ensure it continues to: 

  • provide an approach that’s reasonable and proportionate; and 
  • assists you in ensuring the standard of protection for personal information is not materially lower after you transfer it.  

We may consider producing factual country summaries in the future to assist with TRAs, but this is not part of our immediate plans.

5. International data transfer agreement (IDTA) and the Addendum 

The most frequent requests in this area were:

  • Guidance on when to use the IDTA and when to use the Addendum.
  • Clause-by-clause guidance for the IDTA.  
  • Completed examples of the IDTA to demonstrate how the safeguard can be used in common scenarios.
  • A more user-friendly, easily editable version of the IDTA.

Respondents also noted the often complex picture of transfers across multiple jurisdictions. We heard requests for guidance which covers this, including mapping transfer instruments used in other jurisdictions.  

ICO response

We acknowledge that clause-by-clause guidance on the IDTA has been asked for previously. We plan to update the IDTA following the implementation of the amendments introduced by the Data (Use and Access) Act. Our intention is to provide clause-by-clause guidance at this time. This will also be the opportunity for us to provide worked examples and more user-friendly templates.

Organisations should continue to use the current versions of the IDTA and Addendum. Our updated guidance provides answers to questions raised in responses, for example on incorporating the IDTA or Addendum by reference.

6. Adequacy regulations

More than half of respondents provided feedback on our adequacy guidance. A small number asked for more information about countries where there is a partial finding of adequacy. There were mixed views on whether our US-related guidance is useful. 

ICO response

Our updated guidance on Adequacy regulations provides a fuller explanation of full versus partial adequacy. In particular, we’ve developed guidance on how the UK Extension to the EU-US Data Privacy Framework (DPF) works and how organisations can use this to transfer personal information to the US. 

7. EU and Data Protection

Responses on this area of the guidance were mainly focused on the challenges organisations face when they’re operating under both the EU and UK data protection regimes in parallel. There were requests for mapping or comparison between the UK’s IDTAs and the EU’s Standard Contractual Clauses (SCCs), and consolidated guidance comparing UK and EU obligations

ICO response

Our content on the EU dated from when the UK left the EU. It was located separately from our core guidance on international transfers. We’ve removed outdated information and rebranded the guidance as Receiving personal information from the EEA. It’s now located with our other transfers guidance. It covers:

  • the UK’s adequacy decisions from the EU; and
  • suggestions on how to navigate the EU and UK regimes in parallel.

We haven’t provided mapping between our IDTA and the EU SCCS.  Whilst we understand many UK organisations need to navigate both the UK and EU data protection regimes, we’re prioritising providing guidance on the UK data protection laws under our regulatory responsibilities.

8. Use and applicability of examples

Most respondents told us they find the existing examples useful, although they’re not easy to bookmark. Many respondents made suggestions of the types of scenarios they’d appreciate in any updated guidance. These included: 

  • Sector specific examples (eg health, finance).
  • Examples to reflect the reality of global workforces and global supply chains.
  • Cloud examples.
  • Examples suited to small and medium sized businesses. 
ICO response

We’ve embedded new examples throughout the updated guidance. Our new structure makes it easier for users to bookmark these for future reference. 

We’ll keep our examples under review. We intend to produce some case studies to work through real-life multi-layered or cross-jurisdictional transfer scenarios. It’s in this context we may be able to provide worked examples of a TRA and IDTA. 

Next steps

Whilst we’ve made significant updates to our international transfers guidance, this is not the end of our work. In January 2025, we made a commitment to making it quicker and easier for businesses to transfer personal information safely. We’re focused on delivering further improvements to help UK businesses thrive in a global digital economy. 

We invite you to continue to provide us with feedback on this guidance by contacting [email protected]. Please note that we cannot reply to individual queries about specific transfer scenarios. If you need advice, please see our Contact us page