Does this section apply to us?
This section applies if you are a UK-based business or organisation subject to the GDPR and you transfer personal data to or from other countries (including European countries).
This section does not apply to you if:
- you never transfer personal data outside the UK and never receive personal data from outside the UK; or
- you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers.
A hairdresser in Cheshire has a client database which it uses for bookings and marketing. It stores this database on its office computer. It has never sent any of its client data outside the UK and has no intention of doing so. The hairdresser does not need to consider this section on international transfers.
A hotel in Cornwall takes direct bookings from individuals across the EEA, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them. Neither transfer is restricted under the GDPR nor UK GDPR, as it is made directly with a consumer. The hotel does not need to consider this section on international transfers.
However, if either business uses a cloud IT service which stores and/or processes their data (including personal data) anywhere outside the UK (including in the EEA), it should read this section on international transfers.
How can we prepare?
- The first thing is to look at what you do now. Understand your international flows of personal data. Key transfers to identify will be from the EEA to the UK.
- While all transfers have to be considered, you may want to prioritise transfers of large volumes of data, transfers of special category data or criminal convictions and offences data, and your business-critical transfers.
- Consider how you may continue to receive these transfers lawfully after exit date. Usually the simplest way to provide an appropriate safeguard for a restricted transfer from the EEA to the UK is to enter into standard contractual clauses with the sender of the personal data.
We have an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK? We also have template contracts you can use:
If you prefer, you can use our contract builder to automatically generate the contract. You will need detailed information about the purposes, scope and context of the processing to hand:
Multinational corporate groups should also consider their use of existing EEA-approved binding corporate rules to make transfers into and out of the UK. These will need updating to reflect that, under the EU GDPR, the UK becomes a third country on exit date.
You can continue to make transfers of data from the UK to the EEA under UK adequacy regulations, but you should update your documentation and privacy notice to expressly cover those transfers. Transfers from the UK to other countries can continue under existing arrangements.
If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. Check local legislation and guidance, and seek legal advice if necessary.
What are the key changes?
On exit date there will be two sets of rules to consider:
- First, the UK rules on transferring data outwards from the UK.
- Second, the impact of EU transfer rules on those sending you personal data from outside the UK (including from the EEA) into the UK.
If you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the GDPR. Further detail is provided in the international transfers section of our Guide to GDPR. You won’t need any new arrangements for transfers from the UK, but you need to put in place safeguards to maintain data flows from the EEA into the UK.
How can we transfer data from the UK?
This section applies if you are sending personal data outside the UK
You are making a restricted transfer outwards from the UK if:
- the UK version of the GDPR applies to the processing of the personal data you are transferring;
- the UK GDPR does not apply to the importer of the data, usually because they are located in a country outside the UK (which may be in the EU, the EEA or elsewhere); and
- you, the sender of the personal data, and the receiver of the data are separate organisations (even if you are both companies in the same group).
A UK company passes employee information to a centralised group human resources service provided by its parent company in Germany. After the UK exits the EU, this will be a restricted transfer under the UK GDPR.
The UK is England, Scotland, Wales, and Northern Ireland. It does not include Crown dependencies or UK overseas territories, including Gibraltar.
The UK government has stated that, after Brexit, transfers of data from the UK to the EEA will be permitted. It says it will keep this under review.
The UK government will allow transfers to Gibraltar to continue.
If your restricted transfer is not to the EEA, you should already have considered how to comply with the GDPR. You will continue to be able to rely on the same mechanisms. In particular:
- You will be able to make the restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
- The UK government intends to recognise the EU adequacy decision made by the European Commission before the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.
- Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data can continue to flow from the UK to Japan.
- Modified arrangements will apply regarding the EU adequacy decision for the EU/US Privacy Shield, as this is an EU/US-specific arrangement. The UK government is making arrangements for its continued application to restricted transfers from the UK to the USA and there is further information on the US government’s Privacy Shield website. If the UK exits the EU without the Withdrawal Agreement (‘no deal’), then you as a UK business will continue to be able to transfer personal data to US organisations participating in the Privacy Shield if they have updated their public commitment to comply with the Privacy Shield to expressly state that it applies to transfers of personal data from the UK.
- If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
- For most businesses, a convenient appropriate safeguard is the use of standard contractual clauses. The UK government intends to recognise EC-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK. We have template contracts you can use:
A UK travel company organises educational visits overseas for schools. It sends personal data of those going on the trips to hotels in Spain, Uruguay and Mexico. The travel company, the schools and each hotel are separate controllers as each is processing the personal data for its own purposes and making its own decisions. The personal data of students is passed from the schools to the UK company and then to the hotels. The travel company is making a restricted transfer to the hotels. It does not need to take additional steps when transferring personal data to:
- the Spanish hotel (as the UK government will recognise EEA countries as ensuring an adequate level of data protection under UK law); and
- the Uruguayan hotel (as the UK government will recognise the EC’s adequacy decision regarding Uruguay).
To transfer personal data to the Mexican hotel, the company will need to take additional steps to comply with the provisions on restricted transfers in the UK GDPR. The most appropriate action is likely to be using standard contractual clauses.
- For restricted transfers from a UK public body to a non-EEA public body, where one party is unable to enter into a binding contract, an appropriate safeguard may be an administrative arrangement between these bodies which has been approved by the ICO.
- For restricted transfers from the UK but within a corporate group or to a group of overseas service providers, another convenient method of providing an appropriate safeguard is binding corporate rules.
- The UK government will recognise binding corporate rules authorised under the EU process before the exit date as ensuring appropriate safeguards for transfers from the UK. On that basis, if on exit date you have in place binding corporate rules within your organisation covering the UK sender of data and the receiver (wherever located), the personal data may be sent. You will need to update your EEA binding corporate rules, so that the UK is listed as a third country outside the EEA.
- Other contractual or policies-based mechanisms may provide appropriate safeguards, but so far none have been approved.
If there is no adequacy decision and no appropriate safeguards, but one of the list of exceptions under the EU GDPR applies, you will be able to make the restricted transfer. These exceptions will continue under the UK GDPR.
How can we maintain transfers from the EEA into the UK?
This section applies if you are receiving personal data from the EEA
The EU GDPR will continue to apply to an EEA sender of personal data. To help you understand the obligations on the EEA sender of the personal data to you in the UK, you can use our guidance on international transfers. You should bear in mind that on exit date the UK will be a third country outside the EEA.
The European Data Protection Board (EDPB) has also published an information note on data transfers under the GDPR in the event of a no-deal Brexit.
The EDPB is still finalising detailed guidance on international transfers more generally. We advise you to take a broad interpretation of a restricted transfer, which is that you are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA-located controller or processor sends you personal data.
Under the GDPR, an EEA controller or processor will be able to make a restricted transfer of personal data to the UK if any of the following apply:
- The EEA controller or processor will be able to make a restricted transfer to the UK if it is covered by an EC adequacy decision.
- If we leave the EU without a deal, at exit date there will not be an EC adequacy decision regarding the UK. We will keep you updated as to any plans by the UK Government and the EC regarding an adequacy decision.
- If there is no EC adequacy decision regarding the UK, but the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you.
- For most businesses a convenient appropriate safeguard is standard contractual clauses. We have an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK? We also have template contracts you can use:
For restricted transfers from an EEA public body to a UK public body, where one of the parties is unable to enter into a contract, an appropriate safeguard may be provisions inserted into an administrative arrangement between these bodies. This will need to be authorised by the data protection supervisory authority with oversight of the EEA public body.
A UK regulator makes a request to an EEA counterparty for information about the good standing of an individual who has moved to the UK. The EEA regulator is not able to enter into contracts. The two regulators could agree to an appropriate administrative arrangement, which would need to be approved by the EEA supervisory authority of the EEA counterparty.
- If you have in place binding corporate rules covering a UK-based entity, which are authorised under the EU process before the exit date, this will continue to provide an appropriate safeguard for personal data transfers from the EEA to the UK.
- Those binding corporate rules would need to be updated, with effect on the exit date, to recognise the UK as a third country outside the EEA for the purposes of the EU GDPR.
- The EDPB has published an information note on BCRs which have the ICO as the BCR lead supervisory authority.
If there is no EC adequacy decision regarding the UK and no appropriate safeguards, but one of the list of EU GDPR exceptions applies, your EEA sender will be able to transfer personal data to you. However, in line with EDPB guidance, these must be interpreted restrictively and mainly relate to transfers that are occasional and non-repetitive.
- If there is a medical emergency and you need the data to give medical care to avoid a risk of serious harm to an individual, and the individual is (physically or legally) unable to give consent, then you will be able to rely on an exception. The sender may go ahead and make the transfer on this basis.
- The other exceptions are very limited. Broadly, they cover:
- the individual's explicit consent;
- an occasional transfer to perform a contract with an individual;
- an occasional transfer for important reasons of public interest;
- an occasional transfer to establish, make or defend legal claims;
- transfers from public registers; or
- a truly exceptional transfer for a compelling legitimate interest.
- It is up to the sender in the EEA to decide whether they think an exception applies.
How can we maintain transfers into the UK from countries, territories or sectors covered by an EC adequacy decision?
This section applies if you are receiving personal data from one or more of the following:
Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland, Uruguay, or USA (under Privacy Shield only).
These are the countries, territories or sectors that the European Commission has made a finding of adequacy about.
To have received and to maintain an adequacy decision, the country or territory is likely to have its own legal restrictions on making transfers of personal data to countries outside the EEA. This will include the UK on its exit from the EU.
UK officials are working with these countries and territories to make specific arrangements for transfers to the UK where possible. See the ‘other resources’ box below for links to the latest information on specific arrangements in each territory (where available).
Otherwise, if you wish to continue receiving personal data from these countries or territories, you and the sender of the data will need to consider how to comply with local law requirements on transfers of personal data, and seek local legal advice.
For more information, please check legislation and guidance from the supervisory authority in the sender’s country, or seek your own legal advice. These links provide information on specific arrangements in:
- Argentina: resolution (only available in Spanish)
- Canada: existing transfer rules
- Faroe Islands: Ministerial Order (English statement at the bottom)
- Guernsey: legislation change
- Isle of Man: legislation change
- Israel: current privacy law
- Japan: designation of UK as safe destination (only available in Japanese)
- Jersey: legislation change
- New Zealand: existing transfer rules continue
- Switzerland: EU Exit technical notice
- Uruguay: resolution (only available in Spanish)
- US: Privacy Shield and the UK FAQs
We will update this list as we become aware of any further guidance or legislation. However, these links are for information only. The sender should always ensure it checks with its supervisory authority for the latest guidance, and seek legal advice if in any doubt.