How have the rules on restricted transfers changed, now that the Brexit transition period has ended?
On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards. The adequacy decisions do not cover data transferred to the UK for the purposes of immigration control, or where the UK immigration exemption applies. For this kind of data, different rules apply and the EEA sender needs to put other transfer safeguards in place.
This guidance is about transferring data overseas from the UK. For further information on receiving personal data from the EEA, read our detailed guidance on data protection and the EU.
Restricted transfers from the UK to other countries, including to the EEA, are subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
There are transitional arrangements which aim to smooth the transition to the new UK regime.
First, there are provisions which permit the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. This is to be kept under review by the UK Government.
The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are known as ‘adequacy regulations’.
The UK GDPR primarily applies to controllers and processors located in the United Kingdom, with some exceptions.
Individuals risk losing the protection of the UK GDPR if their personal data is transferred outside of the UK.
On that basis, the UK GDPR restricts transfers of personal data outside the UK, or the protection of the UK GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
A transfer of personal data outside the protection of the UK GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from the UK to another country.
Are we planning to make a restricted transfer of personal data outside of the UK? If no, you can make the transfer. If yes go to Q2
Do we need to make a restricted transfer of personal data in order to meet our purposes? If no, you can make the transfer without any personal data. If yes go to Q3
Are there UK ‘adequacy regulations’ in relation to the country or territory where the receiver is located or a sector which covers the receiver (which currently includes countries in the EEA and countries, territories or sectors covered by existing EU ‘adequacy decisions’)? If yes, you can make the transfer. If no go to Q4
Are we putting in place one of the ‘appropriate safeguards’ referred to in the UK GDPR? If yes, go to Q5 If no go to Q6
Having undertaken a risk assessment, we are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. If yes, you can make the transfer. If no, go to Q6.
Does an exception provided for in the UK GDPR apply? If yes, you can make the transfer. If no, you cannot make the transfer in accordance with the UK GDPR
If you reach the end without finding a provision which permits the restricted transfer, you will be unable to make that restricted transfer in accordance with the UK GDPR.
The European Data Protection Board (EDPB) have published recommendations on measures that supplement transfer tools, for consultation. The recommendations (when finalised) will apply to the EU GDPR transfer regime, and are included here only as useful reference about additional measures. We will be producing our own guidance on this topic in due course.
What are the restrictions on international transfers?
The UK GDPR restricts the transfer of personal data to countries outside the UK or to international organisations. These restrictions apply to all transfers, no matter the size of transfer or how often you carry them out.
Are we making a transfer of personal data outside the UK?
1) Are we making a restricted transfer?
You are making a restricted transfer if:
the UK GDPR applies to your processing of the personal data you are transferring.
The scope of the UK data protection regime is set out in Article 2 UK GDPR (what is processing of personal data) and section 207 DPA 2018 (where the DPA 2018, which incorporated the UK GDPR, applies). Please see the section of the guide What is personal data.
In general, the UK GDPR applies if you are processing personal data in the UK and may apply in specific circumstances if you are outside the UK and processing personal data about individuals in the UK. The EU Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards. The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection. As the UK data protection regime is currently aligned with the EU GDPR, you can continue to read our guidance on the basis that the UK GDPR applies.
you are sending personal data, or making it accessible, to a receiver to which the UK GDPR will not apply in relation to their processing of the data. Usually because they are located in a country outside the UK; and
the receiver is legally distinct from you as it is a separate company, organisation or individual. This includes transfers to another company within the same corporate group. However, if you are sending personal data to someone employed by you or by your company or organisation, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your company or organisation.
A UK company uses a centralised human resources service in the United States provided by its parent company. The UK company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer.
A UK company sells holidays in Australia. It sends the personal data of customers who have bought the holidays to the hotels they have chosen in Australia in order to secure their bookings. This is a restricted transfer.
Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.
Personal data is transferred from a controller in the UK to another controller in the UK via a server in Australia. There is no intention that the personal data will be accessed or manipulated while it is in Australia. Therefore there is no restricted transfer.
You are making a restricted transfer if you collect information about individuals on paper, which is not ordered or structured in any way, and you send this to a service company located outside of the UK, to:
put into digital form; or
add to a highly structured manual filing system relating to individuals.
A UK insurance broker sends a set of notes about individual customers to a company outside the UK. These notes are handwritten and are not stored on computer or in any particular order. The non-UK company adds the notes to a computer customer management system. This is a restricted transfer.
Putting personal data on to a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the UK accesses that personal data via the website.
If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the UK, you should treat this as a restricted transfer.
Do we need to make a restricted transfer?
Before making a restricted transfer you should consider whether you can achieve your aims without actually sending personal data.
If you make the data anonymous so that it is never possible to identify individuals (even when combined with other information which is available to receiver), it is not personal data. This means that the restrictions do not apply and you are free to transfer the anonymised data outside the UK.
How do we make a restricted transfer in accordance with the UK GDPR?
You must work through the following questions, in order.
If by the last question, you are still unable to make the restricted transfer, then it will be in breach of the UK GDPR.
Is the restricted transfer covered by ‘adequacy regulations’?
You may make a restricted transfer if the receiver is located in a third country or territory or is an international organisation, covered by UK “adequacy regulations”.
UK “adequacy regulations” set out in law that the legal framework in that country, territory, sector or international organisation has been assessed as providing ‘adequate’ protection for individuals’ rights and freedoms for their personal data.
There are provisional arrangements so that UK “adequacy regulations” include the EEA and all countries, territories and international organisations covered by European Commission “adequacy decisions” valid as at 31 December 2020. The UK intends to review these adequacy regulations over time.
1) What countries or territories are covered by adequacy regulations?
The UK has “adequacy regulations” in relation to the following countries and territories:
The European Economic Area (EEA) countries.
These are the EU member states and the EFTA States.
The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
The EFTA states are Iceland, Norway and Liechtenstein.
EU or EEA institutions, bodies, offices or agencies.
Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020)
These include a full finding of adequacy about the following countries and territories:
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
In addition, the partial findings of adequacy about:
Japan – only covers private sector organisations.
Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. For more details please see the EU Commission's FAQs on the adequacy finding on the Canadian PIPEDA.
Is the restricted transfer covered by appropriate safeguards?
If there are no UK ‘adequacy regulations’ about the country, territory or sector for your restricted transfer, you should then find out whether you can make the transfer subject to ‘appropriate safeguards’.
There is a list of appropriate safeguards in the UK GDPR. Each ensures that both you and the receiver of the restricted transfer are legally required to protect individuals’ rights and freedoms in respect of their personal data.
Have you undertaken a transfer impact assessment?
Before you may rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
You should do this by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data).
If your assessment is that the appropriate safeguard does not provide the required level of protection, you may include additional measures.
This assessment is undoubtedly complex in many situations. The ICO intends to issue guidance on this topic in due course.
The European Data Protection Board (EDPB) have published adopted recommendations on measures that supplement transfer tools. The recommendations apply to the EU GDPR transfer regime, and are included here only as useful reference about additional measures. We will be producing our own guidance on this topic in due course.
Each appropriate safeguard is set out below:
1. A legally binding and enforceable instrument between public authorities or bodies
You can make a restricted transfer if it is covered by a legal instrument between public authorities or bodies containing ‘appropriate safeguards’. The ‘appropriate safeguards’ must include enforceable rights and effective remedies for the individuals whose personal data is transferred.
This agreement or legal instrument could also be entered into with an international organisation.
You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘standard contractual clauses’ (‘SCCs’ or ‘model clauses’).
The SCCs contain contractual obligations on you (the data exporter) and the receiver (the data importer), and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.
EU SCCs entered into prior to the end of the transitional period continue to be valid for restricted transfers under the UK regime.
For new restricted transfers, you can continue to use the EU SCCs (which were valid at the end of the transitional period). There are two sets of standard contractual clauses for restricted transfers between a controller and controller, and one set between a controller and processor.
If you are making a restricted transfer from a controller to another controller, you can choose which set of clauses to use, depending on which best suits your business arrangements.
You are able to make changes to those EU SCCs so they make sense in a UK context provided you do not change the legal meaning of the SCCs. For example, changing references from the old EU Data Protection to the UK GDPR, changing references to the EU or Member States, to the UK, and changing references to a supervisory authority to the ICO.
Otherwise you must not make any changes to the SCCs, unless it is to add protections or more clauses on business related issues. You can add parties (i.e. additional data importers or exporters) provided they are also bound by the SCCs.
The ICO has consulted on our draft international transfer agreement (IDTA) and guidance, which replace SCCs. This closed in October 2021. The ICO’s work around IDTAs, and its consultation, are a requirement under s119a of the Data Protection Act 2018. The consultation will inform the final documents the ICO will lay before Parliament.
The ICO and the Secretary of State must keep the transitional arrangements for SCCs under review, and both are able to issue new SCCs. It may be that at some point the EU SCCs will cease to be valid, for new and/or existing restricted transfers from the UK. The ICO will provide more information about this should this situation arises, giving you plenty of notice.
A family books a holiday in Australia with a UK travel company. The UK travel company sends details of the booking to the Australian hotel.
Each company is a separate controller, as it is processing the personal data for its own purposes and making its own decisions.
The contract between the UK travel company and the hotel should use controller to controller standard contractual clauses.
The UK travel company must also undertake a transfer impact assessment, and if necessary include additional measures to ensure that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
You are permitted to make changes to them so they make sense for restricted transfers under the UK GDPR. We have created UK versions of the SCCs (with guidance), with suggested UK changes made for you:
We have produced guidance on Standard Contractual Clauses (SCCs) after the transition period ends.
The European Data Protection Board (EDPB) has published recommendations on measures that supplement transfer tools, for consultation. These recommendations will apply to the EU GDPR transfer regime, and are included only as useful reference about additional measures. The ICO intends to issue its own guidance on this topic in due course.
You can make a restricted transfer if the receiver has signed up to a code of conduct, which has been approved by the ICO. The code of conduct must include appropriate safeguards to protect the rights of individuals whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.
No approved codes of conduct are yet in use, but we are actively working with various sector bodies and associations. We will publish further information once codes of conduct are approved.
In more detail - European Data Protection Board
The European Data Protection Board (EDPB) have published guidance on codes of conduct. This applies to the EU GDPR, and is included here as a useful reference. We will be producing our own guidance on this topic in due course.
5. Certification under an approved certification scheme
You can make a restricted transfer if the receiver has a certification, under a scheme approved by the ICO. The certification scheme must include appropriate safeguards to protect the rights of individuals whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.
No approved certification schemes are yet in use as an appropriate safeguard for international transfers. The ICO will provide separate guidelines in relation to the use of certification schemes as a mechanism to facilitate international transfers in due course.
6. Contractual clauses authorised by the ICO
You can make a restricted transfer if you and the receiver have entered into a bespoke contract governing a specific restricted transfer which has been individually authorised by the ICO. This means that if you are making a restricted transfer from the UK, the ICO will have had to have approved the contract.
7. Administrative arrangements between public authorities or bodies
You can make a restricted transfer using:
An administrative arrangement (usually a document, such as a memorandum of understanding) between public authorities or bodies.
The administrative arrangement must set out ‘appropriate safeguards’ for the rights of the individuals whose personal data is to be transferred. The ‘appropriate safeguards’ must include effective and enforceable rights for the individuals whose personal data is transferred.
The administrative arrangement must be individually authorised by the ICO.
What if the restricted transfer is not covered by appropriate safeguards?
Is the restricted transfer covered by an exception?
If you are making a restricted transfer that is not covered by UK ‘adequacy regulations’, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the UK GDPR.
You should only use these as true ‘exceptions’ from the general rule that you should not make a restricted transfer unless it is covered by UK ‘adequacy regulations’ or there are appropriate safeguards in place.
If it is covered by an exception, you may go ahead with the restricted transfer. Of course, you must still comply with the rest of the UK GDPR.
Each exception is set out below:
Exception 1. Has the individual given his or her explicit consent to the restricted transfer?
Please see the section on consent as to what is required for a valid explicit consent under the UK GDPR.
As a valid consent must be both specific and informed, you must provide the individual with precise details about the restricted transfer. You cannot obtain a valid consent for restricted transfers in general.
You should tell the individual:
the identity of the receiver, or the categories of receiver;
the country or countries to which the data is to be transferred;
why you need to make a restricted transfer;
the type of data;
the individual’s right to withdraw consent; and
the possible risks involved in making a transfer to a country which does not provide adequate protection for personal data and without any other appropriate safeguards in place. For example, you might explain that there will be no local supervisory authority, and no (or only limited) individual data protection or privacy rights.
Given the high threshold for a valid consent, and that the consent must be capable of being withdrawn, this may mean that using consent is not a feasible solution.
Exception 2. Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract?
Are you about to enter into a contract with the individual? Is the restricted transfer necessary for you to take steps requested by the individual in order to enter into that contract?
This exception explicitly states that it can only be used for occasional restricted transfers. This means that the restricted transfer may happen more than once but not regularly. If you are regularly making restricted transfers, you should be putting in place an appropriate safeguard.
The transfer must also be necessary, which means that you cannot perform the core purpose of the contract or the core purpose of the steps needed to enter into the contract, without making the restricted transfer. It does not cover a transfer for you to use a cloud based IT system.
A UK travel company offering bespoke travel arrangements may rely on this exception to send personal data to a hotel in Peru, provided that it does not regularly arrange for its customers to stay at that hotel. If it did, it should consider using an appropriate safeguard, such as the standard contractual clauses.
It is only necessary to send limited personal data for this purpose, such as the name of the guest, the room required and the length of stay.
Example of necessary steps being taken at the individual’s request in order to enter into a contract: Before the package is confirmed (and the contract entered into), the individual wishes to reserve a room in the Peruvian hotel. The UK travel company has to send the Peruvian hotel the name of the customer in order to hold the room.
Public authorities cannot rely on this exception when exercising their public powers.
Exception 3. Do you have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for you to either enter into that contract or perform that contract?
As set out in Exception 2, you may only use this exception for occasional transfers, and the transfer must be necessary for you to perform the core purposes of the contract or to enter into that contract.
You may rely on both Exceptions 2 and 3: Exception 2 for the individual entering into the contract and Exception 3 for other people benefiting from that contract, often family members.
Exceptions 2 and 3 are not identical. You cannot rely on Exception 3 for any restricted transfers needed for steps taken prior to entering in to the contract.
Public authorities cannot rely on this exception when exercising their public powers.
Following the Exception 2 example, Exception 3 may apply if the customer is buying the travel package for themselves and their family. Once the customer has bought the package with the UK travel company, it may be necessary to send the names of the family members to Peruvian hotel in order to book the rooms.
Exception 4: You need to make the restricted transfer for important reasons of public interest.
There must be a UK law which states or implies that this type of transfer is allowed for important reasons of public interest, which may be in the spirit of reciprocity for international co-operation. For example an international agreement or convention (which the UK has signed) that recognises certain objectives and provides for international co-operation (such as the 2005 International Convention for the Suppression of Acts of Nuclear Terrorism).
This can be relied upon by both public and private entities.
If a request is made by a non-EEA authority, requesting a restrictive transfer under this exception, and there is an international agreement such as a mutual assistance treaty (MLAT), you should consider referring the request to the existing MLAT or agreement.
You should not rely on this exception for systematic transfers. Instead, you should consider one of the appropriate safeguards. You should only use it in specific situations, and each time you should satisfy yourself that the transfer is necessary for an important reason of public interest.
Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.
This exception explicitly states that you can only use it for occasional transfers. This means that the transfer may happen more than once but not regularly. If you are regularly transferring personal data, you should put in place an appropriate safeguard.
The transfer must be necessary, so there must be a close connection between the need for the transfer and the relevant legal claim.
The claim must have a basis in law, and a formal legally defined process, but it is not just judicial or administrative procedures. This means that you can interpret what is a legal claim quite widely, to cover, for example:
all judicial legal claims, in civil law (including contract law) and criminal law. The court procedure does not need to have been started, and it covers out-of-court procedures. It covers formal pre-trial discovery procedures.
administrative or regulatory procedures, such as to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger.
You cannot rely on this exception if there is only the mere possibility that a legal claim or other formal proceedings may be brought in the future.
Public authorities can rely on this exception, in relation to the exercise of their powers.
Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.
This applies in a medical emergency where the transfer is needed in order to give the medical care required. The imminent risk of serious harm to the individual must outweigh any data protection concerns.
You cannot rely on this exception to carry out general medical research.
If the individual is physically and legally capable of giving consent, then you cannot rely on this exception.
Exception 7: You are making the restricted transfer from a public register.
The register must be created under UK law and must be open to either:
the public in general; or
any person who can demonstrate a legitimate interest.
For example, registers of companies, associations, land registers or public vehicle registers. The whole of the register cannot be transferred, nor whole categories of personal data.
The transfer must comply with any general laws which apply to disclosures from the public register. If the register has been established at law and access is only given to those with a legitimate interest, part of that assessment must take into account the data protection rights of the individuals whose personal data is to be transferred. This may include consideration of the risk to that personal data by transferring it to a country with less protection.
This does not cover registers run by private companies, such as credit reference databases.
Exception 8: you are making a one-off restricted transfer and it is in your compelling legitimate interests.
If you cannot rely on any of the other exceptions, there is one final exception to consider. This exception should not be relied on lightly and never routinely as it is only for truly exceptional circumstances.
For this exception to apply to your restricted transfer:
there must be no UK ‘adequacy regulations’ which apply.
you are unable to use any of the other appropriate safeguards. You must give serious consideration to this, even if it would involve significant investment from you.
none of the other exceptions apply. Again, you must give serious consideration to the other exceptions. It may be that you can obtain explicit consent with some effort or investment.
your transfer must not be repetitive – that is it may happen more than once but not regularly.
the personal data must only relate to a limited number of individuals. There is no absolute threshold for this. The number of individuals involved should be part of the balancing exercise you must undertake in para (g) below.
The transfer must be necessary for your compelling legitimate interests. Please see the section of the guide on legitimate interests as a lawful basis for processing, but bearing mind that this exception requires a higher standard, as it must be a compelling legitimate interest. An example is a transfer of personal data to protect a company’s IT systems from serious immediate harm.
On balance your compelling legitimate interests outweigh the rights and freedoms of the individuals.
You have made a full assessment of the circumstances surrounding the transfer and provided suitable safeguards to protect the personal data. Suitable safeguards might be strict confidentiality agreements, a requirement for data to be deleted soon after transfer, technical controls to prevent the use of the data for other purposes, or sending pseudonymised or encrypted data. This must be recorded in full in your documentation of your processing activities.
You have informed the ICO of the transfer. We will ask to see full details of all the steps you have taken as set out above.
You have informed the individual of the transfer and explained your compelling legitimate interest to them.