How have the rules on restricted transfers changed, now that the Brexit transition period has ended?
On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards. The adequacy decisions do not cover data transferred to the UK for the purposes of immigration control, or where the UK immigration exemption applies. For this kind of data, different rules apply and the EEA sender needs to put other transfer safeguards in place.
This guidance is about transferring data overseas from the UK. For further information on receiving personal data from the EEA, read our detailed guidance on data protection and the EU.
Restricted transfers from the UK to other countries, including to the EEA, are subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
There are transitional arrangements which aim to smooth the transition to the new UK regime.
First, there are provisions which permit the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. This is to be kept under review by the UK Government.
The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are known as ‘adequacy regulations’.
There are also provisions which allow the continued use of any EU Standard Contractual Clauses (‘SCCs'), valid as at 31 December 2020, both for existing restricted transfers and for new restricted transfers.
Finally, there are provisions which allow certain Binding Corporate Rules to transition into the UK regime.
Are we making a transfer of personal data outside the UK?
1) Are we making a restricted transfer?
You are making a restricted transfer if:
- the UK GDPR applies to your processing of the personal data you are transferring.
- The scope of the UK data protection regime is set out in Articles 2 and 3 of the UK GDPR and section 207 DPA 2018 (where the DPA 2018, which incorporated the UK GDPR, applies). Please see the section of the guide What is personal data.
- You are agreeing to send personal data, or make it accessible, to a receiver which is located in a country outside the UK; and
- the receiver is legally distinct from you as it is a separate company, organisation or individual. This includes transfers to another company within the same corporate group. However, if you are sending personal data to someone employed by you or by your company or organisation, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your company or organisation.
A UK company uses a centralised human resources service in the United States provided by its parent company. The UK company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer.
A UK company sells holidays in Australia. It sends the personal data of customers who have bought the holidays to the hotels they have chosen in Australia in order to secure their bookings. This is a restricted transfer.
Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.
Personal data is transferred from a controller in the UK to another controller in the UK via a server in Australia. There is no intention that the personal data will be accessed or manipulated while it is in Australia. Therefore there is no restricted transfer.
You are making a restricted transfer if you collect information about individuals on paper, which is not ordered or structured in any way, and you send this to a service company located outside of the UK, to:
- put into digital form; or
- add to a highly structured manual filing system relating to individuals.
A UK insurance broker sends a set of notes about individual customers to a company outside the UK. These notes are handwritten and are not stored on computer or in any particular order. The non-UK company adds the notes to a computer customer management system. This is a restricted transfer.
Putting personal data on to a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the UK accesses that personal data via the website.
If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the UK, you should treat this as a restricted transfer.
How do we make a restricted transfer in accordance with the UK GDPR?
You must work through the following questions, in order.
If by the last question, you are still unable to make the restricted transfer, then it will be in breach of the UK GDPR.
Is the restricted transfer covered by ‘adequacy regulations’?
You may make a restricted transfer if the receiver is located in a third country or territory or is an international organisation, covered by UK “adequacy regulations”.
UK “adequacy regulations” set out in law that the legal framework in that country, territory, sector or international organisation has been assessed as providing ‘adequate’ protection for individuals’ rights and freedoms for their personal data.
There are provisional arrangements so that UK “adequacy regulations” include the EEA and all countries, territories and international organisations covered by European Commission “adequacy decisions” valid as at 31 December 2020. The UK intends to review these adequacy regulations over time.
1) What countries or territories are covered by adequacy regulations?
The UK has “adequacy regulations” in relation to the following countries and territories:
- The European Economic Area (EEA) countries.
- These are the EU member states and the EFTA States.
- The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
- The EFTA states are Iceland, Norway and Liechtenstein.
- EU or EEA institutions, bodies, offices or agencies.
- Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020)
- These include a full finding of adequacy about the following countries and territories:
- Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
- In addition, the partial findings of adequacy about:
- Japan – only covers private sector organisations.
- Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. For more details please see the EU Commission's FAQs on the adequacy finding on the Canadian PIPEDA.
2) What if there is no adequacy decision?
You should move on to the next section Is the transfer covered by appropriate safeguards?
Is the restricted transfer covered by appropriate safeguards?
If there are no UK ‘adequacy regulations’ about the country, territory or sector for your restricted transfer, you should then find out whether you can make the transfer subject to ‘appropriate safeguards’.
There is a list of appropriate safeguards in the UK GDPR. Each ensures that both you and the receiver of the restricted transfer are legally required to protect individuals’ rights and freedoms in respect of their personal data.
Have you undertaken a transfer impact assessment?
Before you may rely on an appropriate safeguard to make a restricted transfer, you must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
You should do this by undertaking a risk assessment, which takes into account the protections contained in that appropriate safeguard and the legal framework of the destination country (including laws governing public authority access to the data).
If your assessment is that the appropriate safeguard does not provide the required level of protection, you may include additional measures.
This assessment is undoubtedly complex in many situations. The ICO intends to issue guidance on this topic in due course.
The European Data Protection Board (EDPB) have published adopted recommendations on measures that supplement transfer tools. The recommendations apply to the EU GDPR transfer regime, and are included here only as useful reference about additional measures. We will be producing our own guidance on this topic in due course.
Each appropriate safeguard is set out below:
1. A legally binding and enforceable instrument between public authorities or bodies
You can make a restricted transfer if it is covered by a legal instrument between public authorities or bodies containing ‘appropriate safeguards’. The ‘appropriate safeguards’ must include enforceable rights and effective remedies for the individuals whose personal data is transferred.
This agreement or legal instrument could also be entered into with an international organisation.
2. Binding Corporate Rules (BCRs)
For information on Binding Corporate Rules, go to our separate BCR page.
3. Standard contractual clauses (SCCs)
You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘standard contractual clauses’ (‘SCCs’ or ‘model clauses’).
The SCCs contain contractual obligations on you (the data exporter) and the receiver (the data importer), and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.
EU SCCs entered into prior to the end of the transitional period continue to be valid for restricted transfers under the UK regime.
The European Commission issued new EU SCCs on 04 June 2021. These are not valid for restricted transfers under UK GDPR (but see the next paragraph).
Following a consultation, the ICO has now issued new data protection clauses for restricted transfers, which will replace the old EU SCCs. There is a new International Data Transfer Agreement (IDTA) and a new International Data Transfer Addendum to the new European Commission SCCs (Addendum). These were laid before Parliament on 28 January 2022. Provided that there are no objections, these documents will be in force on 21 March 2022.
The ICO has also issued a document setting out transitional provisions regarding the current EU SCCs; this was also laid before Parliament on 28 January 2022.
You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. All contracts on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR, until 21 March 2024. From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR.
When you are entering into a contract on the basis of the IDTA or the Addendum you must still carry out a risk assessment. This is to make sure that the actual protection provided by the IDTA or Addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws.
A family books a holiday in Australia with a UK travel company. The UK travel company sends details of the booking to the Australian hotel.
Each company is a separate controller, as it is processing the personal data for its own purposes and making its own decisions.
The contract between the UK travel company and the hotel should use controller to controller standard contractual clauses.
The UK travel company must also undertake a transfer impact assessment, and if necessary include additional measures to ensure that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.
If you are making a restricted transfer from a controller to a processor, you also need to comply with the UK GDPR requirements about using processors.
In more detail
The following EU Standard Contractual Clauses can still be used:
You are permitted to make changes to them so they make sense for restricted transfers under the UK GDPR. We have created UK versions of the SCCs (with guidance), with suggested UK changes made for you:
International data transfer agreement and guidance
The European Data Protection Board (EDPB) has adopted recommendations on measures that supplement transfer tools. These recommendations apply to the EU GDPR transfer regime, and are included only as useful reference about additional measures. The ICO intends to issue its own guidance on this topic in due course.
In more detail - European Data Protection Board
The European Data Protection Board (EDPB) have published guidance on codes of conduct. This applies to the EU GDPR, and is included here as a useful reference. We will be producing our own guidance on this topic in due course.
5. Certification under an approved certification scheme
You can make a restricted transfer if the receiver has a certification, under a scheme approved by the ICO. The certification scheme must include appropriate safeguards to protect the rights of individuals whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.
The UK GDPR also endorses the use of approved certification mechanisms to demonstrate compliance with its requirements.
No approved certification schemes are yet in use as an appropriate safeguard for international transfers. The ICO will provide separate guidelines in relation to the use of certification schemes as a mechanism to facilitate international transfers in due course.
6. Contractual clauses authorised by the ICO
You can make a restricted transfer if you and the receiver have entered into a bespoke contract governing a specific restricted transfer which has been individually authorised by the ICO. This means that if you are making a restricted transfer from the UK, the ICO will have had to have approved the contract.
7. Administrative arrangements between public authorities or bodies
You can make a restricted transfer using:
- An administrative arrangement (usually a document, such as a memorandum of understanding) between public authorities or bodies.
- The administrative arrangement must set out ‘appropriate safeguards’ for the rights of the individuals whose personal data is to be transferred. The ‘appropriate safeguards’ must include effective and enforceable rights for the individuals whose personal data is transferred.
- The administrative arrangement must be individually authorised by the ICO.
What if the restricted transfer is not covered by appropriate safeguards?
If the restricted transfer is not covered by appropriate safeguards, then you need to consider the next question: Is the restricted transfer covered by an exception?
Is the restricted transfer covered by an exception?
If you are making a restricted transfer that is not covered by UK ‘adequacy regulations’, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the UK GDPR.
You should only use these as true ‘exceptions’ from the general rule that you should not make a restricted transfer unless it is covered by UK ‘adequacy regulations’ or there are appropriate safeguards in place.
If it is covered by an exception, you may go ahead with the restricted transfer. Of course, you must still comply with the rest of the UK GDPR.
Each exception is set out below:
Exception 1. Has the individual given his or her explicit consent to the restricted transfer?
Please see the section on consent as to what is required for a valid explicit consent under the UK GDPR.
As a valid consent must be both specific and informed, you must provide the individual with precise details about the restricted transfer. You cannot obtain a valid consent for restricted transfers in general.
You should tell the individual:
- the identity of the receiver, or the categories of receiver;
- the country or countries to which the data is to be transferred;
- why you need to make a restricted transfer;
- the type of data;
- the individual’s right to withdraw consent; and
- the possible risks involved in making a transfer to a country which does not provide adequate protection for personal data and without any other appropriate safeguards in place. For example, you might explain that there will be no local supervisory authority, and no (or only limited) individual data protection or privacy rights.
Given the high threshold for a valid consent, and that the consent must be capable of being withdrawn, this may mean that using consent is not a feasible solution.
Exception 2. Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract?
Are you about to enter into a contract with the individual? Is the restricted transfer necessary for you to take steps requested by the individual in order to enter into that contract?
This exception explicitly states that it can only be used for occasional restricted transfers. This means that the restricted transfer may happen more than once but not regularly. If you are regularly making restricted transfers, you should be putting in place an appropriate safeguard.
The transfer must also be necessary, which means that you cannot perform the core purpose of the contract or the core purpose of the steps needed to enter into the contract, without making the restricted transfer. It does not cover a transfer for you to use a cloud based IT system.
A UK travel company offering bespoke travel arrangements may rely on this exception to send personal data to a hotel in Peru, provided that it does not regularly arrange for its customers to stay at that hotel. If it did, it should consider using an appropriate safeguard, such as the standard contractual clauses.
It is only necessary to send limited personal data for this purpose, such as the name of the guest, the room required and the length of stay.
Example of necessary steps being taken at the individual’s request in order to enter into a contract: Before the package is confirmed (and the contract entered into), the individual wishes to reserve a room in the Peruvian hotel. The UK travel company has to send the Peruvian hotel the name of the customer in order to hold the room.
Public authorities cannot rely on this exception when exercising their public powers.
Exception 3. Do you have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for you to either enter into that contract or perform that contract?
As set out in Exception 2, you may only use this exception for occasional transfers, and the transfer must be necessary for you to perform the core purposes of the contract or to enter into that contract.
You may rely on both Exceptions 2 and 3: Exception 2 for the individual entering into the contract and Exception 3 for other people benefiting from that contract, often family members.
Exceptions 2 and 3 are not identical. You cannot rely on Exception 3 for any restricted transfers needed for steps taken prior to entering in to the contract.
Public authorities cannot rely on this exception when exercising their public powers.
Following the Exception 2 example, Exception 3 may apply if the customer is buying the travel package for themselves and their family. Once the customer has bought the package with the UK travel company, it may be necessary to send the names of the family members to Peruvian hotel in order to book the rooms.
Exception 4: You need to make the restricted transfer for important reasons of public interest.
There must be a UK law which states or implies that this type of transfer is allowed for important reasons of public interest, which may be in the spirit of reciprocity for international co-operation. For example an international agreement or convention (which the UK has signed) that recognises certain objectives and provides for international co-operation (such as the 2005 International Convention for the Suppression of Acts of Nuclear Terrorism).
This can be relied upon by both public and private entities.
If a request is made by a non-EEA authority, requesting a restrictive transfer under this exception, and there is an international agreement such as a mutual assistance treaty (MLAT), you should consider referring the request to the existing MLAT or agreement.
You should not rely on this exception for systematic transfers. Instead, you should consider one of the appropriate safeguards. You should only use it in specific situations, and each time you should satisfy yourself that the transfer is necessary for an important reason of public interest.
Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.
This exception explicitly states that you can only use it for occasional transfers. This means that the transfer may happen more than once but not regularly. If you are regularly transferring personal data, you should put in place an appropriate safeguard.
The transfer must be necessary, so there must be a close connection between the need for the transfer and the relevant legal claim.
The claim must have a basis in law, and a formal legally defined process, but it is not just judicial or administrative procedures. This means that you can interpret what is a legal claim quite widely, to cover, for example:
- all judicial legal claims, in civil law (including contract law) and criminal law. The court procedure does not need to have been started, and it covers out-of-court procedures. It covers formal pre-trial discovery procedures.
- administrative or regulatory procedures, such as to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger.
You cannot rely on this exception if there is only the mere possibility that a legal claim or other formal proceedings may be brought in the future.
Public authorities can rely on this exception, in relation to the exercise of their powers.
Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.
This applies in a medical emergency where the transfer is needed in order to give the medical care required. The imminent risk of serious harm to the individual must outweigh any data protection concerns.
You cannot rely on this exception to carry out general medical research.
If the individual is physically and legally capable of giving consent, then you cannot rely on this exception.
For detail as to what is considered a ‘vital interest’ under the UK GDPR, please see the section on vital interests as a condition of processing special category data.
For detail as to what is ‘consent’ under the UK GDPR please see the section on consent.
Exception 7: You are making the restricted transfer from a public register.
The register must be created under UK law and must be open to either:
- the public in general; or
- any person who can demonstrate a legitimate interest.
For example, registers of companies, associations, land registers or public vehicle registers. The whole of the register cannot be transferred, nor whole categories of personal data.
The transfer must comply with any general laws which apply to disclosures from the public register. If the register has been established at law and access is only given to those with a legitimate interest, part of that assessment must take into account the data protection rights of the individuals whose personal data is to be transferred. This may include consideration of the risk to that personal data by transferring it to a country with less protection.
This does not cover registers run by private companies, such as credit reference databases.
Exception 8: you are making a one-off restricted transfer and it is in your compelling legitimate interests.
If you cannot rely on any of the other exceptions, there is one final exception to consider. This exception should not be relied on lightly and never routinely as it is only for truly exceptional circumstances.
For this exception to apply to your restricted transfer:
- there must be no UK ‘adequacy regulations’ which apply.
- you are unable to use any of the other appropriate safeguards. You must give serious consideration to this, even if it would involve significant investment from you.
- none of the other exceptions apply. Again, you must give serious consideration to the other exceptions. It may be that you can obtain explicit consent with some effort or investment.
- your transfer must not be repetitive – that is it may happen more than once but not regularly.
- the personal data must only relate to a limited number of individuals. There is no absolute threshold for this. The number of individuals involved should be part of the balancing exercise you must undertake in para (g) below.
- The transfer must be necessary for your compelling legitimate interests. Please see the section of the guide on legitimate interests as a lawful basis for processing, but bearing mind that this exception requires a higher standard, as it must be a compelling legitimate interest. An example is a transfer of personal data to protect a company’s IT systems from serious immediate harm.
- On balance your compelling legitimate interests outweigh the rights and freedoms of the individuals.
- You have made a full assessment of the circumstances surrounding the transfer and provided suitable safeguards to protect the personal data. Suitable safeguards might be strict confidentiality agreements, a requirement for data to be deleted soon after transfer, technical controls to prevent the use of the data for other purposes, or sending pseudonymised or encrypted data. This must be recorded in full in your documentation of your processing activities.
- You have informed the ICO of the transfer. We will ask to see full details of all the steps you have taken as set out above.
- You have informed the individual of the transfer and explained your compelling legitimate interest to them.