The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does this section apply to us?

This section applies if you are a UK-based business or organisation subject to the UK GDPR and you transfer personal data to or from other countries (including European countries).

This section does not apply to you if:

  • you never transfer personal data outside the UK and never receive personal data from outside the UK; or
  • you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers.

Examples

A hairdresser in Cheshire has a client database which it uses for bookings and marketing. It stores this database on its office computer. It has never sent any of its client data outside the UK and has no intention of doing so. The hairdresser does not need to consider this section on international transfers.

A hotel in Cornwall takes direct bookings from individuals across the EEA, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them. Neither transfer is restricted under the GDPR nor UK GDPR, as it is made directly with a consumer. The hotel does not need to consider this section on international transfers.

However, if either business uses a cloud IT service which stores and/or processes their data (including personal data) anywhere outside the UK (including in the EEA), it should read this section on international transfers.

How can we prepare?     

  • The first thing is to understand your international flows of personal data. Key transfers to identify will be from the EEA to the UK. Take stock so that you can distinguish between data acquired before the end of the transition period and after. Data you collected before the end of 2020 about people who were located outside the UK at the end of 2020 will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’). You may use the latest information you have about where people were living, up to 31 December 2020. 
  • Personal data acquired since 01 January that is processed on the basis of the Withdrawal Agreement (for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement) is also subject to the frozen GDPR. Our End of Transition Interactive Tool will help you decide if you are processing ‘legacy data’ and provides more guidance. As the UK data protection regime is currently aligned with Frozen GDPR, you can continue to read our guidance on the basis that UK GDPR applies. If the EU Commission adopts a GDPR ‘adequacy decision’ then these requirements will cease to apply.
  • While all transfers have to be considered, you may want to prioritise transfers of large volumes of data, transfers of special category data or criminal convictions and offences data, and your business-critical transfers.
  • Consider how you may continue to receive these transfers lawfully if the bridge ends without the adoption of adequacy decisions. Usually the simplest way to provide an appropriate safeguard for a restricted transfer from the EEA to the UK is to enter into standard contractual clauses with the sender of the personal data.

We have an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK?  We also have template contracts you can use:

If you prefer, you can use our contract builder to automatically generate the contract. You will need detailed information about the purposes, scope and context of the processing to hand:

We have produced an information note about SCCs after the Brexit transition period.

Multinational corporate groups should also consider their use of existing EEA-approved binding corporate rules to make transfers into and out of the UK. These will need updating to reflect that, under the EU GDPR, the UK is now a third country.

You can continue to make transfers of data from the UK to the EEA under UK adequacy regulations, but you should update your documentation and privacy notice to expressly cover those transfers. Transfers from the UK to other countries can continue under existing arrangements.

If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. Check local legislation and guidance, and seek legal advice if necessary.

Further Reading

For more information about the UK Government’s view on the application of the Withdrawal Agreement personal data protection provisions (legacy data), read Using personal data in your business or other organisation from 1 January 2021.

What are the key changes?

There are two sets of rules to consider:

  • First, the UK rules on transferring data outwards from the UK.
  • Second, the impact of EU transfer rules on those sending you personal data from outside the UK (including from the EEA) into the UK.

In both cases, you can transfer personal data if it is covered by an adequacy decision, an appropriate safeguard or an exception.

If you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the UK GDPR. Further detail is provided in the international transfers section of our Guide to GDPR

You don’t need any new arrangements for transfers from the UK.

Data can still flow freely from the EEA because the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). If the bridge ends without EU adequacy decisions, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions. We recommend that you put safeguards in place by the end of April, if you have not done so already.

How can we transfer data from the UK?

This section applies if you are sending personal data outside the UK 

You are making a restricted transfer outwards from the UK if:

  • the UK GDPR applies to the processing of the personal data you are transferring;
  • the UK GDPR does not apply to the importer of the data, usually because they are located in a country outside the UK (which may be in the EU, the EEA or elsewhere); and
  • you, the sender of the personal data, and the receiver of the data are separate organisations (even if you are both companies in the same group).

Example

A UK company passes employee information to a centralised group human resources service provided by its parent company in Germany. This is a restricted transfer under the UK GDPR.

The UK is England, Scotland, Wales, and Northern Ireland. It does not include Crown dependencies or UK overseas territories, including Gibraltar.

The UK government has stated that transfers of data from the UK to the EEA are permitted. It says it will keep this under review.

The UK government will allow transfers to Gibraltar to continue.

If your restricted transfer is not to the EEA, you should already have considered how to comply with the UK GDPR. You will continue to be able to rely on the same mechanisms. In particular:

Adequacy decisions

  • You will be able to make the restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
  • Specific UK arrangements have been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data can continue to flow from the UK to Japan.

Appropriate safeguards            

Example

A UK travel company organises educational visits overseas for schools. It sends personal data of those going on the trips to hotels in Spain, Uruguay and Mexico. The travel company, the schools and each hotel are separate controllers as each is processing the personal data for its own purposes and making its own decisions. The personal data of students is passed from the schools to the UK company and then to the hotels. The travel company is making a restricted transfer to the hotels. It does not need to take additional steps when transferring personal data to:

  • the Spanish hotel (as the UK government has recognised EEA countries as ensuring an adequate level of data protection under UK law); and
  • the Uruguayan hotel (as the UK government has recognised the EC’s adequacy decision regarding Uruguay).

To transfer personal data to the Mexican hotel, the company will need to take additional steps to comply with the provisions on restricted transfers in the UK GDPR. The most appropriate action is likely to be using standard contractual clauses.

  • For restricted transfers from a UK public body to a non-EEA public body, where one party is unable to enter into a binding contract, an appropriate safeguard may be an administrative arrangement between these bodies which has been approved by the ICO.
  • For restricted transfers from the UK but within a corporate group or to a group of overseas service providers, another convenient method of providing an appropriate safeguard is binding corporate rules. The UK Government has not given mutual recognition to EU BCRs. However provision has been made to allow holders of EU BCRs authorised before the end of the transition period to have a UK BCR confirmed, provided certain requirements are met. Those requirements are set out in our information note and requirements table.
  • Other contractual or policies-based mechanisms may provide appropriate safeguards, but so far none have been approved.

Exceptions

If there is no adequacy decision and no appropriate safeguards, but one of the list of exceptions under the EU GDPR applies, you will be able to make the restricted transfer. These exceptions will continue under the UK GDPR.

How can we maintain transfers from the EEA into the UK?

This section applies if you are receiving personal data from the EEA

Data can still flow freely from the EEA because the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). If the bridge ends without the adoption of adequacy decisions, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions. We recommend that you put safeguards in place by the end of April, if you have not done so already.

The EU GDPR applies to an EEA sender of personal data. To help you understand the obligations on the EEA sender of the personal data to you in the UK, you can use our guidance on international transfers. You should bear in mind that the UK is now a third country outside the EEA.

The European Data Protection Board (EDPB) has also published an information note on data transfers under the EU GDPR in the absence of an agreement at the end of the transition period.

The EDPB is still finalising detailed guidance on international transfers more generally. We advise you to take a broad interpretation of a restricted transfer, which is that you are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA-located controller or processor sends you personal data.

Under the EU GDPR, an EEA controller or processor will be able to make a restricted transfer of personal data to the UK if any of the following apply:

Adequacy decisions

The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments.  If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions. 

Appropriate safeguards

  • On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate.
  • The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments. If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions. 
  • If the EC adopt the adequacy decisions before the bridge ends, this will allow restricted transfers to continue to be made to most UK organisations, countries, territories or sectors covered by the decision. If there is no EC adequacy decision regarding the UK, but if the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you.

For restricted transfers from an EEA public body to a UK public body, where one of the parties is unable to enter into a contract, an appropriate safeguard may be provisions inserted into an administrative arrangement between these bodies. This will need to be authorised by the data protection supervisory authority with oversight of the EEA public body.

Example

A UK regulator makes a request to an EEA counterparty for information about the good standing of an individual who has moved to the UK. The EEA regulator is not able to enter into contracts. The two regulators could agree to an appropriate administrative arrangement, which would need to be approved by the EEA supervisory authority of the EEA counterparty.

  • If you have in place binding corporate rules covering a UK-based entity, which are authorised under the EU process, this will continue to provide an appropriate safeguard for personal data transfers from the EEA to the UK.
  • Those binding corporate rules need to be updated, to recognise the UK as a third country outside the EEA for the purposes of the EU GDPR.
  • The EDPB has published an information note on BCRs which have the ICO as the BCR lead supervisory authority.

Exceptions

If, at the end of the , the EC have not adopted the GDPR regarding the UK and no appropriate safeguards, but one of the list of EU GDPR exceptions applies, your EEA sender will be able to transfer personal data to you. However, in line with EDPB guidance, these must be interpreted restrictively and mainly relate to transfers that are occasional and non-repetitive.

  • If there is a medical emergency and you need the data to give medical care to avoid a risk of serious harm to an individual, and the individual is (physically or legally) unable to give consent, then you will be able to rely on an exception. The sender may go ahead and make the transfer on this basis.
  • The other exceptions are very limited. Broadly, they cover:
    • the individual's explicit consent;
    • an occasional transfer to perform a contract with an individual;
    • an occasional transfer for important reasons of public interest;
    • an occasional transfer to establish, make or defend legal claims;
    • transfers from public registers; or
    • a truly exceptional transfer for a compelling legitimate interest.
  • It is up to the sender in the EEA to decide whether they think an exception applies.

How can we maintain transfers into the UK from countries, territories or sectors covered by an EC adequacy decision?

This section applies if you are receiving personal data from one or more of the following:

Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

These are the countries, territories or sectors that the European Commission has made a finding of adequacy about.

To have received and to maintain an adequacy decision, the country or territory is likely to have its own legal restrictions on making transfers of personal data to countries outside the EEA. This includes the UK.

UK officials are working with these countries and territories to make specific arrangements for transfers to the UK where possible. See the ‘other resources’ box below for links to the latest information on specific arrangements in each territory (where available).

Otherwise, if you wish to continue receiving personal data from these countries or territories, you and the sender of the data will need to consider how to comply with local law requirements on transfers of personal data, and seek local legal advice.

Other resources

For more information, please check legislation and guidance from the supervisory authority in the sender’s country, or seek your own legal advice. These links provide information on specific arrangements in:

We will update this list as we become aware of any further guidance or legislation. However, these links are for information only. The sender should always ensure it checks with its supervisory authority for the latest guidance, and seek legal advice if in any doubt.