Does this section apply to us?
You should read this section if:
- you are a UK-based business or organisation and the GDPR currently applies to your processing of personal data;
- you send personal data outside the UK; or
- you receive personal data from the EEA; or
- you receive personal data from countries or territories which are covered by an adequacy decision.
This section does not apply to you if:
- you never transfer personal data outside the UK and never receive personal data from outside the UK;
- you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers.
A hairdressers in Cheshire has a client database which it uses for bookings and marketing. It stores this database on its office computer. It has never sent any of its client data outside of the UK and has no intention of doing so. The hairdressers does not need to consider this section on international transfers.
A hotel in Cornwall takes direct bookings from individuals across Europe, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them. Neither transfer is restricted under the GDPR nor UK GDPR, as it is made directly with a consumer. The hotel does not need to consider this section on international transfers.
However, if either business uses a cloud IT service which stores and/or processes their data (including personal data) anywhere outside of the UK, (including in the EEA), it should review this section on international transfers.
The GDPR provides rules setting out when and how a transfer of personal data protected by the GDPR to outside of that protection may take place; this is usually because the data is moving to countries outside the EEA (a restricted transfer).
If you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the GDPR. Further detail is provided in the international transfers section of our Guide to GDPR.
On exit date there will be two sets of rules to consider:
- first, if you are making a restricted transfer outwards from the UK; and
- second, if you are receiving personal data from outside the UK (including from the EEA) into the UK.
You should review the international transfers section of our Guide to GDPR, bearing in mind the key points below. The European Data Protection Board (EDPB) has published an information note on data transfers under the GDPR in the event of a no-deal Brexit. It is also currently working on its general guidance regarding International Transfers, and we will update our guidance as this is published.
What are the key points if we are making transfers from the UK?
You are making a restricted transfer outwards from the UK if:
- the UK version of the GDPR applies to the processing of the personal data you are transferring;
- the UK GDPR does not apply to the importer of the data, usually because they are located in a country outside the UK (which may be in the EU, the EEA or elsewhere); and
- you, the sender of the personal data, and the receiver of the data are separate organisations (even if you are both companies within the same group).
A UK company passes employee information to a centralised group human resources service provided by its parent company in Germany. After the UK exits the EU, this will be a restricted transfer under the UK GDPR.
The UK is England, Scotland, Wales, and Northern Ireland. It does not include Crown dependencies or United Kingdom overseas territories, including Gibraltar.
The UK government has stated that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted. It says it will keep this under review.
The UK government will allow transfers to Gibraltar to continue.
If your restricted transfer is not to the EEA, then you should already have considered how to comply with the GDPR. You will continue to be able to rely on the same mechanisms. In particular:
- You will be able to make the restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
- The UK government intends to recognise the EU adequacy decisions which have been made by the European Commission prior to the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.
- The UK government is still considering the position on the recent EU adequacy decision for Japan, and whether modified arrangements will be required for it to apply to transfers from the UK. We will provide updated guidance in due course.
- Modified arrangements will apply in relation to the EU adequacy decision for the EU/US Privacy Shield, as this is an EU/US specific arrangement. The UK government is making arrangements for its continued application to restricted transfers from the UK to the USA and there is further information on the US government’s Privacy Shield website. If the UK exits the EU without the Withdrawal Agreement (‘No Deal’), UK businesses will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided those US organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.
- If there is no adequacy decision which covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
- For most businesses, a convenient appropriate safeguard is the use of standard contractual clauses. The UK government intends to recognise European Commission-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK. We have template contracts which you can use:
A UK travel company organises educational visits overseas for schools. It sends personal data of those going on the trips to hotels in Spain, Uruguay and Mexico. The travel company, the schools and each hotel are separate controllers as each is processing the personal data for its own purposes and making its own decisions. The personal data of students is passed from the schools to the UK company and then to the hotels. The travel company is making a restricted transfer to the hotels. It does not need to take additional steps when transferring personal data to:
- the Spanish hotel (as the UK government will recognise EEA countries as ensuring adequate level of data protection under UK law); and
- the Uruguayan hotel (as the UK government will recognise the adequacy decision made by the European Commission in respect of Uruguay).
In order to transfer personal data to the Mexican hotel it will need to take additional steps to comply with the provisions on restricted transfers in the UK GDPR. The most appropriate action is likely to be using standard contractual clauses.
- For restricted transfers from a UK public body to a non EEA public body, where one party is unable to enter into a binding contract, an appropriate safeguard may be an administrative arrangement between these bodies which has been approved by the ICO.
- For restricted transfers from the UK but within a corporate group or to a group of overseas service providers, another convenient method of providing an appropriate safeguard is binding corporate rules.
- The UK government will recognise binding corporate rules authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK. On that basis, if on exit date you have in place binding corporate rules within your organisation covering the UK sender of data and the receiver (wherever located), the personal data may be sent. You will need to update your EEA binding corporate rules, so that the UK is listed as a third country outside the EEA.
- There may be other contractual or policies-based mechanisms available that provide appropriate safeguards. Although to date, none have been approved.
- If there is no adequacy decision and no appropriate safeguards, but one of the list of exceptions under the EU GDPR applies, you will be able to make the restricted transfer. These exceptions will continue under the UK GDPR.
What are the key points if we are receiving transfers from the EEA into the UK?
The EU GDPR will continue to apply to an EEA sender of personal data. To help you understand the obligations on the EEA sender of the personal data to you in the UK, you can use our guidance on international transfers. You should bear in mind that on exit date the UK will be a third country outside the EEA.
The European Data Protection Board (EDPB) has also published an information note on data transfers under the GDPR in the event of a no-deal Brexit. The EDPB is still finalising detailed guidance on international transfers more generally, and we advise that you take a broad interpretation of a restricted transfer, which is that you are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA located controller or processor sends you personal data.
Under the GDPR, an EEA controller or processor will be able to make a restricted transfer of personal data to the UK if any of the following apply:
- The EEA controller or processor will be able to make a restricted transfer to the UK if it is covered by an adequacy decision by the European Commission.
- At exit date there may not be an adequacy decision by the European Commission regarding the UK. We will keep you updated as to any plans by the UK Government and European Commission regarding an adequacy decision.
- If there is no European Commission adequacy decision in respect of the UK, but the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you.
- For most businesses a convenient appropriate safeguard is standard contractual clauses. We have an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK?. We also have template contracts which you can use:
- For restricted transfers from an EEA public body to a UK public body, where one of the parties is unable to enter into a contract, an appropriate safeguard may be provisions inserted into an administrative arrangement between these bodies. This will need to be authorised by the data protection supervisory authority with oversight of the EEA public body.
A UK regulator makes a request to an EEA counterparty for information about the good standing of an individual who has moved to the UK. The EEA regulator is not able to enter into contracts. The two regulators could agree to an appropriate administrative arrangement, which would need to be approved by the EEA supervisory authority of the EEA counterparty.
- If you have in place binding corporate rules covering a UK-based entity, which are authorised under the EU process before the exit date, this will continue to provide an appropriate safeguard for personal data transfers from the EEA to the UK.
- Those binding corporate rules would need to be updated, with effect on the exit date, to recognise the UK as a third country outside the EEA for the purposes of the EU GDPR.
- The EDPB has published an information note on BCRs which have the ICO as the BCR lead supervisory authority.
- If there is no European Commission adequacy decision in relation to the UK and no appropriate safeguards, but one of the list of EU GDPR exceptions applies, your EEA sender will be able to transfer personal data to you. However, in line with EDPB guidance , these derogations must be interpreted restrictively and mainly relate to transfers that are occasional and non-repetitive.
- If there is a medical emergency and you need the data to give medical care, or risk serious harm to the individual, and the individual is (physically or legally) unable to give his or her consent, then you will be able to rely on an exception. The sender may go ahead and make the transfer on this basis.
- The other exceptions are very limited in scope. Broadly, they cover:
- the individual's explicit consent;
- an occasional transfer to perform a contract with an individual;
- an occasional transfer for important reasons of public interest;
- an occasional transfer to establish, make or defend legal claims;
- transfers from public registers; or
- a truly exceptional transfer for a compelling legitimate interest.
- It is up to the sender in the EEA to decide whether they think that an exception applies.
What are the key points if we are receiving transfers into the UK from countries, territories or sectors covered by a European Commission adequacy decision?
You should read this section if you are receiving personal data from one or more of the following:Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private sector organisations only), Jersey, New Zealand, Switzerland, Uruguay or USA (under Privacy Shield only).
These are the countries, territories or sectors which the European Commission has made a finding of adequacy about.
In order to have received and to maintain an adequacy decision, the country or territory is likely to have its own legal restrictions on making transfers of personal data to countries outside of the EEA. This will include the UK on its exit from the EU.
We understand that the UK government is having discussions with these countries and territories in order to make arrangements for transfers to the UK. We will provide further guidance on this in due course.
Otherwise, if you wish to continue receiving personal data from these countries or territories, you and the sender of the data will need to consider how to comply with local law requirements on transfers of personal data.
How can we prepare?
- The first thing to do is to take stock. Understand your international flows of personal data, so that you know if any of your transfers are or will become restricted transfers under UK or EU data protection law on exit date. While all transfers have to be considered, you may want to prioritise transfers of large volumes of data, transfers of special category data or criminal convictions and offences data, and your business critical transfers.
- Consider how you may continue to make and receive those transfers lawfully after exit date, and without an adequacy decision by the European Commission in relation to the UK. Key transfers to consider will be from the EEA to the UK.
- Often a relatively simple way to provide an appropriate safeguard for a restricted transfer is to enter into standard contractual clauses between the sender and receiver of personal data.
We have an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK?. We also have template contracts which you can use:
- Multinational corporate groups should also consider their use of existing EEA approved binding corporate rules to make transfers into and out of the UK. These will need updating to reflect that, under the EU GDPR, the UK becomes a third country on exit date.
- If as a result of exit you will be making transfers of personal data from the UK that will become restricted transfers (eg transfers between the UK and the EEA which were previously permitted as transfers between EU Member States), you should also update your documentation and privacy notice to expressly cover those transfers.
- If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers.