Does this section apply to us?
This section applies if you are a UK-based business or organisation subject to the UK GDPR and you transfer personal data to or from other countries (including European countries).
The EU GDPR adequacy decision means that data can continue to flow from the EEA in most cases. The decision does not cover data transferred for the purposes of immigration control or where the UK immigration exemption applies.
This section does not apply to you if:
- you never transfer personal data outside the UK and never receive personal data from outside the UK; or
- you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers.
What should we do?
Map your flows of international data. Because the EU considers the UK GDPR to be adequate, data can continue to flow as before in the majority of cases, and you don’t need to consider another appropriate safeguard.
You should identify any transfers you receive for the purposes of immigration control (or data that falls within the UK immigration exemption) as these are excluded from adequacy; they are restricted transfers and fall under different rules.
What about receiving transfers covered by a European Commission adequacy decision?
If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. Check local legislation and guidance and seek legal advice if necessary.
How can we transfer data from the UK?
You don’t need any new arrangements for transfers from the UK to the EEA.
The UK government has stated that transfers of data from the UK to the EEA are permitted. It says it will keep this under review.
The UK is England, Scotland, Wales, and Northern Ireland. It does not include Crown dependencies or UK overseas territories, including Gibraltar.
The UK government will allow transfers to Gibraltar to continue.
You should update your documentation and privacy notice to expressly cover these transfers.
If you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the UK GDPR. Further detail is provided in the international transfers section of our Guide to GDPR.
What about transfers from the EEA into the UK?
Receiving data transfers from the EEA
Unless you are processing or holding data transferred for the purposes of immigration control (or data which otherwise falls within the UK immigration exemption), data can still flow freely from the EEA because the EU have adopted adequacy decisions about the UK.
Which regime applies?
Whilst the adequacy decisions remain in place, the UK GDPR applies. Both decisions are expected to last until 27 June 2025.
The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection. The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved. Also, EU data subjects or an EU data protection authority can initiate a legal challenge to the decisions. The Court of Justice of the European union would then have to decide whether the UK did provide essentially equivalent protection.
In the absence of an EU GDPR adequacy decision, the Frozen GDPR would apply to personal data if:
- it was processed in the UK under the EU GDPR before 01 January 2021; or
- it’s being processed in the UK on the basis of the Withdrawal Agreement (for example, in order to comply with legal obligations under the Withdrawal Agreement).
You may need to be able to identify any personal data you’ve collected before the end of 2020 about individuals located outside the UK.
In addition, you may need to be able to identify any new non-UK personal data that you only process because you’re complying with the provisions of the Withdrawal Agreement.
What about the immigration exemption?
Receiving data transfers from the EEA
The EU GDPR adequacy decision does not cover personal data transferred from the EEA for the purposes of UK immigration control, or data which would otherwise fall under the scope of the immigration exemption in DPA2018. EEA organisations can still make these transfers using an appropriate safeguard from the EU GDPR.
Usually, the simplest way to provide an appropriate safeguard for a restricted transfer from the EEA to the UK is to enter into standard contractual clauses with the sender of the personal data. Further detail is provided in the international transfers section of our Guide to GDPR.
Which regime applies to data transfers received that engage the immigration exemption?
If you receive data from the EEA for immigration control purposes or where the UK immigration exemption applies, you should consider whether the Frozen GDPR applies. The Frozen GDPR is the EU GDPR almost exactly as it was on 31 December 2020. The Frozen GDPR won’t change even if the UK GDPR or EU GDPR are amended.
The Frozen GDPR applies to immigration data if:
- it was processed in the UK under the EU GDPR before 1 January 2021 (personal data you’ve collected before the end of 2020 about individuals located outside of the UK); or
- it’s being processed in the UK on the basis of the Withdrawal Agreement (for example, in order to comply with legal obligations under the Withdrawal Agreement).
How can we maintain transfers into the UK from countries, territories or sectors covered by an EC adequacy decision?
This section applies if you are receiving personal data from one or more of the following:
Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.
These are the countries, territories or sectors that the European Commission has made a finding of adequacy about.
To have received and to maintain an adequacy decision, the country or territory is likely to have its own legal restrictions on making transfers of personal data to countries outside the EEA. This includes the UK.
UK officials are working with these countries and territories to make specific arrangements for transfers to the UK where possible. See the ‘other resources’ box below for links to the latest information on specific arrangements in each territory (where available).
Otherwise, if you wish to continue receiving personal data from these countries or territories, you and the sender of the data will need to consider how to comply with local law requirements on transfers of personal data and seek local legal advice.
Other resources
For more information, please check legislation and guidance from the supervisory authority in the sender’s country, or seek your own legal advice. These links provide information on specific arrangements in:
- Argentina: resolution (only available in Spanish)
- Canada: existing transfer rules
- Faroe Islands: Ministerial Order (only available in Faroese)
- Guernsey: legislation change
- Isle of Man: legislation change
- Israel: current privacy law
- Japan: designation of UK as safe destination (only available in Japanese)
- Jersey: legislation change
- New Zealand: existing transfer rules continue
- Switzerland: EU Exit technical notice
- Uruguay: resolution (only available in Spanish)
We will update this list as we become aware of any further guidance or legislation. However, these links are for information only. The sender should always ensure it checks with its supervisory authority for the latest guidance, and seek legal advice if in any doubt.