The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The EU Commission announced on 28 June 2021 that adequacy decisions for the UK have been approved. We are in the process of updating our guidance to reflect this decision.


EEA The European Economic Area. It is made up of the EU member states plus Iceland, Norway and Liechtenstein.
EU GDPR General Data Protection Regulation. This sets out the data protection rules which apply across the EEA.
UK GDPR General Data Protection Regulation. This sets out the data protection rules which apply within the UK.
SCCs Standard contractual clauses. These are standard clauses you can use when transferring personal data to other countries to make sure you comply with the rules on international transfers and keep that data protected.
DPO Data protection officer. If you are a public authority or if your core activities involve certain types of large-scale processing, you must have a DPO.
Lead authority A European data protection regulator who takes action on behalf of regulators across the EEA. Having a lead authority avoids your having to deal with different regulators and enforcement action in every EEA country where individuals are affected. You will only have a lead authority if you have an office, branch or other establishment inside the EEA.

The European Commission has the power to determine whether a third country (the UK becomes a third country to the EU GDPR once the transition period ends) has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate.

The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments.  If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions.  There is no set timescale for this process, it is likely to take several months. We will update our guidance to reflect the outcome of this.
Legacy data

Data you collected before the end of 2020 about people who were located outside the UK at the end of 2020. You may use the latest information you have about where people were living, up to 31 December 2020. 

Personal data processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.

Frozen GDPR The GDPR as it stood on 31 December 2020.