Sending personal data outside the European Economic Area (Principle 8)
This section provides practical advice to companies or other organisations who want to send personal data outside the European Economic Area (EEA).
In brief – what does the Data Protection Act say about sending personal data outside the EEA?
The Data Protection Act says that:
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using sub-contractors abroad.
The Act also sets out the situations where the eighth principle does not apply, and these situations are also considered in more detail in this section.
If you are considering sending personal data outside the EEA, work through the following checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer.
1. Do you need to transfer personal data abroad?
Can you achieve your objectives without processing personal data at all? For example, could the information be anonymised?
2. Are you transferring the data to a country outside the EEA or will it just be in transit through a non-EEA country?
If data is only in transit through a non-EEA country, there is no transfer outside the EEA. Note that if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA.
3. Have you complied with all the other data protection principles?
If you transfer personal data outside the EEA, you are required to comply with all the principles and the Act as a whole, not just the eighth principle relating to international data transfers.
4. Is the transfer to a country outside the EEA?
There are no restrictions on the transfer of personal data to EEA countries.
5. Is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data?
Transfers may be made to any country or territory in respect of which the Commission has made a ‘positive finding of adequacy’.
6. If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme?
The Safe Harbor scheme is recognised by the European Commission as providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA.
7. Is the personal data passenger name record information (PNR)?
The agreement made between the EU and the USA (to legitimise and regulate the transfer of PNR from EU Airlines to the US Department of Homeland Security) is regarded as providing adequate protection for the rights of the data subjects whose personal data (in the form of PNR) is transferred. Arrangements also exist between the European Commission, Canada and Australia.
If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a Commission ‘positive finding of adequacy’ nor signed up to the Safe Harbor Scheme, you will need to assess whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data.
8. Can you make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case’?
9. If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?
Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.
10. Can you rely on another exception from the restriction on international transfers of personal data?
Schedule 4 DPA concerns “Cases where the Eighth Principle does not apply”. It covers BCRs, model contract clauses, and the use of other contractual clauses as well as a number of other exceptions to the restriction on overseas data transfers. If you are able to rely on an exception, the transfer may take place even though there is no other protection for individuals’ rights.
Is it possible to fulfil my objectives and send information outside the UK without processing personal data?
Before making a transfer, you should consider whether you can achieve your aims without actually processing personal data. For example, if data is made anonymous so that it will never be possible to identify individuals from it on its own or by combining it with other available information, the information will not be personal data, the data protection principles will not apply, and you are free to transfer the information outside the EEA.
What is the difference between a transfer and being in transit?
A transfer involves sending personal data to someone in another country.
A company in the UK uses a centralised human resources system in the United States belonging to its parent company to store information about its employees.
A travel agent sends a customer’s details to a hotel in Australia where they will be staying while on holiday.
A transfer of personal data for the purposes of the eighth principle occurs when information moves from an EEA country to a country or territory outside the EEA (a third country).
A transfer is not the same as the transit of personal data through a third country. The eighth principle will only apply if the personal data moves to a third country, rather than passing through it on the way to its destination.
Personal data is transferred from country “A” to country “B” via a server in country “C”, which does not access or manipulate the information while it is in country “C”. In these circumstances the transfer is only to country “B”.
You will be processing personal data in the UK and transferring it even if:
you collect information relating to individuals on paper, which is not ordered or structured in any way; and
you send this overseas with the intention that, once it is there, it will be processed using equipment operating automatically; or
it will be added to a highly structured filing system relating to individuals.
A large insurance broker sends a set of notes about individual customers to a company acting on their behalf in another country. These notes are handwritten and are not held on computer or as part of a relevant filing system in the UK. The notes are to be entered onto a computer in the other country and added to a customer management system.
Putting personal data on a website will often result in transfers to countries outside the EEA. The transfers will take place when someone outside the EEA accesses the website. If you load information onto a server based in the UK so that it can be accessed through a website, you should consider the likelihood that a transfer may take place and whether that would be fair for the individuals concerned. If you intend information on the website to be accessed outside the EEA, then this is a transfer.
What other data protection obligations must I comply with when transferring personal data outside the EEA?
It is important to remember that all the data protection principles apply to overseas transfers of personal data – not just the eighth principle. So you must consider how you will comply with the other principles if you transfer. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas.
The seventh principle (concerning information security) will also be relevant to how the information is sent and introduces the requirement to have contracts in place when using subcontractors abroad.
Which countries are in the EEA?
Providing you are satisfied that you have complied with the other provisions (and in particular the principles) of the DPA, there are no additional restrictions on the transfer of personal data to EEA countries.
The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway:
Austria Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France
Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the voluntary “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, it agrees to:
follow seven principles of information handling; and
be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.
Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website. If you are intending to transfer personal data under Safe Harbor, you should check whether the US Safe Harbor entity to which you are transferring the personal data is compliant with its Safe Harbor obligations.
In July 2007, the EU and the US signed an agreement to legitimise and regulate the transfer of passenger name record information (PNR) from EU airlines to the US Department of Homeland Security (DHS). This agreement, renewed in 2012, is regarded as providing adequate protection for the personal data in question. There are also agreements on PNR information with Australia and Canada. For more details, please see the European Commission website pages on Passenger Name Record - bilateral agreements.
If the data protection law in a country has not been approved as adequate, is it still possible to send personal data to that country?
Yes, if you are satisfied that in the particular circumstances there is an adequate level of protection. You can:
assess adequacy yourself;
use contracts, including the European Commission approved model contractual clauses;
get your Binding Corporate Rules or Binding Corporate Rules for Processors approved by the Information Commissioner; or
rely on the exceptions from the rule.
How do I assess adequacy?
You will need to be satisfied that in the particular circumstances there is an adequate level of protection for the rights of the individuals whose personal data you are transferring.
The Act sets out the factors you should take into account in making this decision. This means doing a risk assessment. You must decide whether there is adequate protection for the rights of individuals, in all the circumstances of the transfer. This is known as an assessment of adequacy. To assess adequacy you should look at:
the nature of the personal data being transferred;
the country or territory of origin of the information in question;
the country or territory of final destination of that information;
how the data will be used and for how long; and
the security measures to be taken in respect of the personal data in the country or territory where the data will be received.
If your assessment of these ‘general adequacy’ criteria reveals that, in the particular circumstances, the risks associated with the transfer are low, an exhaustive analysis of the ‘legal adequacy’ criteria (listed below) may not be necessary. If your assessment of the general adequacy criteria indicates the transfer is ‘high risk’ (eg if the data is particularly sensitive), then a more comprehensive investigation of the legal adequacy criteria will be required. In these circumstances you must consider:
the extent to which the country has adopted data protection standards in its law;
whether there is a way to make sure the standards are achieved in practice; (for example, whether there are any enforceable codes or conduct or other rules); and
whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.
We realise it may be impractical for you to carry out a detailed analysis of adequacy involving the legal situation in a non-EEA country. This analysis might be more appropriate for a business that regularly transfers large volumes of personal data to a particular country, rather than a company that might only occasionally transfer personal data to any of a wide range of countries. For this reason, this guide does not give detailed advice on how to carry out an adequacy test; instead, please see Assessing adequacy for international data transfers (pdf).
In some cases you might reasonably decide there is adequate protection without a detailed assessment. A common situation is where you transfer personal data to a processor acting on your instructions under contract. You are still legally responsible for making sure the data is processed in line with the principles. In particular, personal data can only be transferred if there is a contract requiring the processor to have appropriate security and act only on your instruction. So individuals’ information should continue to be protected to the same standard as in the UK and they will have the same rights they can exercise in the UK. This is because you remain liable for ensuring that the processing complies with the data protection principles. When selecting a processor, you need to satisfy yourself that it is reliable and has appropriate security.
However, the level of protection is unlikely to be adequate if:
the transfer is to a processor in an unstable country; and
the nature of the information means that it is at particular risk.
You may reasonably decide there is adequate protection without a detailed analysis, depending on: the nature of the information; the circumstances of the transfer; your knowledge of the country; and the company you are transferring to. Some examples are discussed below.
A university wishes to transfer the academic biographies of its lecturers and research staff to other universities and potential students outside the EEA. Nothing of a private nature is included.
This is a well-known practice in the university. The personal data, such as the staff’s qualifications and publications, is already publicly available. Any member of staff can have their information withheld if they have a reason to do so – such as concerns about their safety. In this case, it is difficult to see a problem with adequacy as the potential for staff to object has been addressed and there is little further risk of misuse.
Company A in the UK sends its customer list to company B outside the EEA so that company B, acting as a processor, can send a mailing to company A’s customers. It is likely that adequate protection exists if:
the information transferred is only names and addresses
there is nothing particularly sensitive about company A’s line of business;
the names and addresses are for one-time use and must be returned or destroyed within a short timescale;
company A knows company B is reliable; and
there is a contract between them governing how the information will be used.
An employee travels outside the EEA with a laptop containing personal data connected with their employment. Their employer in the UK is still the data controller. As long as the information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists.
A multinational company transfers a list of internal telephone extensions to its overseas subsidiaries. The nature of the information makes it unlikely that the individuals identified would suffer significant damage in the unlikely event that an unauthorised source obtained the list. It is reasonable to decide that adequate protection exists.
These examples show that you can, in particular circumstances, decide whether there is adequacy. You might limit the types of information you transfer and the types of organisation you transfer to, or insist that the destination company meet certain conditions by contract or otherwise.
If it is not possible to make an assessment that the proposed transfer offers an adequate level of protection, it may be possible to put in place ‘adequate safeguards’. Where adequate safeguards are put in place, the rights of individuals continue to be protected even after their data has been transferred outside the EEA. Examples of some of these safeguards are outlined below.
How can you use contracts to ensure there is an adequate level of protection?
There are several types of contract that you can use to transfer personal data outside the EEA. The main types are:
contracts based on the standard contractual clauses approved by the European Commission (EC model clauses); and
other contracts you draw up yourself after a risk assessment to bring protection up to an adequate level.
EC model clauses
The European Commission has approved four sets of standard contractual clauses (known as model clauses) as providing an adequate level of protection. If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of adequacy.
Two of the sets of model clauses relate to transferring personal data from one company to another company, which will then use it for its own purposes (the “controller to controller clauses”). In this case you can choose either set of clauses, depending on which best suits your business arrangements. The other two sets of model clauses are for transferring personal data to a processor acting under your instructions, such as a company that provides you with IT services or runs a call centre for you. Whilst the first set of “processor” model clauses may still be in use for transfer arrangements put in place before 2010, only the new set of “processor” clauses may be used for new arrangements.
The model clauses are attached as an annex to the European Commission decisions of adequacy, which approve their use. The Information Commissioner has authorised the use of both sets of model contracts for transfers from controller to controller: the original 2001 clauses and the revised 2004 clauses. The Information Commissioner has also authorised the use of revised contractual clauses adopted in May 2010 for transfers from controller to processor (pdf), and in doing so has withdrawn his authorisation for the original 2001 clauses for transfers from controller to processor. Contracts made under this authorisation and concluded before 15 May 2010 are still valid. However, the revised clauses should be used from 15 May 2010.
Model contract clauses:
If you are relying on the European Commission adequacy decisions you cannot change the clauses in any way, for example by removing parts or adding other clauses to change the meaning, but the clauses can be incorporated into other contracts. For more information, read our detailed guidance:
You can also use your own contracts to help ensure adequacy for a particular transfer or set of transfers. You can use these contracts to plug gaps where you have decided that there would be adequacy, were it not for a particular weakness. For example, you may want to include a contract clause to require the company receiving the information to return it to you if your relationship comes to an end or they go out of business. Alternatively, you may use your own contracts to form the entire basis for the adequacy of protection of individuals’ rights.
You do not have to have a separate contract for data protection. You can include the terms to achieve adequacy in any general contract that covers your relationship with the other company.
You can also use contracts where you are not in a position to judge adequacy. The contract should be comprehensive to enable you to satisfy yourself that adequacy exists, without you needing to analyse the circumstances of the transfer. This kind of contract is likely to be very similar to a standard contract using the EC model clauses, which you can use to develop your own terms.
If you use contract provisions that differ from the model clauses, you risk a future challenge to the adequacy of the contract’s level of protection. You must record your reasoning and decisions and be able to justify your actions if you are questioned on them. This is in line with our general approach to compliance with the Act which allows organisations to make their own judgments as to whether they are complying with their data protection obligations rather than always needing to obtain prior approval for their actions. We are not able to give you detailed advice on or approve contracts other than in exceptional circumstances.
In what circumstances will the Information Commissioner approve transfers by an organisation?
The Information Commissioner has the power to authorise transfers of personal data on the basis that in the particular circumstances there is an adequate level of protection, but we will not routinely do this because you will be in a better position to decide if there is adequacy in the light of your knowledge of the safeguards and the processing taking place.
If we authorise a transfer, we must tell the European Commission and other data protection authorities in Europe.
We will not authorise one-off arrangements between you and companies in other countries unless there are exceptional circumstances. We would have to be satisfied that there was no other reasonable way for you to comply with the eighth principle, for example by applying any of the exemptions or by making your own assessment of adequacy.
What are “binding corporate rules”?
Another option is to adopt binding codes of corporate conduct, known as binding corporate rules or binding corporate rules for processors (BCR). This option only applies to multinational organisations transferring information outside the EEA but within their group of entities and subsidiaries. These rules create rights for individuals, which can be exercised before the courts or data protection authorities, and obligations for the company. In all cases, the rules are legally binding on the companies in the multinational group and will usually be made so by unilateral declarations, intra-group agreements or the corporate governance of the group. To use BCR to transfer personal data freely within your group, they must be approved by all the relevant European data protection authorities who will co-operate with each other in assessing the standard of your rules.
You may use internal codes of conduct, similar to BCR, to transfer information from the UK without an authorisation where:
you have conducted a risk assessment; and
you are satisfied that the codes provide the level of safeguards required by the eighth principle.
When you do not have an authorisation or your code of conduct or internal policies has not been through the BCR approval process, it will not be recognised as a BCR. Using an unauthorised code risks a future challenge to the adequacy of the level of protection it offers. If challenged you must be able to justify your reliance on your code of conduct for providing adequate protection. It is therefore important that you record your reasoning and decisions for using your own code. This is in line with our general approach to compliance with the Act.
Read more information on BCR:
Are there any exceptions to the rule?
There are several exemptions from the eighth principle, where you can transfer personal data even if there is no adequate protection. However, it is good practice to ensure that there is adequate protection if it is possible to do so, and only to rely on an exemption if it is not. Nevertheless, the exemptions are legally available to you and may in some circumstances provide a simple solution that only results in a minimal loss of protection for the individual. You will find a detailed analysis in our guidance:
A consent will not be valid if the individual has no choice but to give their consent.
A company asks its employees to agree to the international transfer of their personal data. The penalty for not agreeing is dismissal, and so the company may not rely on any “consents” given by its employees in these circumstances.
The individual must know and have understood what they are agreeing to. You should specify the reasons for the transfer and, as far as possible, the countries involved. If you are aware of any particular risks involved in the transfer, you should tell the individual. In our view, consent is unlikely to provide an adequate long-term solution to repeated transfers or ones that arise from a structural reorganisation.
You can transfer personal data overseas where it is necessary for carrying out certain types of contract or if the transfer is necessary to set up the contract.
For a contract between the organisation and the individual, you may transfer personal data overseas if the transfer is:
necessary to carry out the contract; or
a necessary part of the steps the individual has asked you to take before a contract is made between you.
For a contract between the organisation and someone other than the individual, you may transfer personal data overseas if:
the individual requests the contract or it is in their interests; and
the transfer is necessary to conclude the contract; or
the transfer is necessary to carry out such a contract.
In this context, contracts are not restricted to goods and services – they can include employment contracts. Deciding whether a transfer is necessary to carry out a contract depends on the nature of the goods or services provided under the contract rather than how your business is organised.
A transfer is not necessary if the only reason you need to make it is because of the way you have chosen to structure your business. Read more in Conditions for processing.
An individual books a hotel in the USA through a UK travel agent. The UK travel agent will need to transfer the booking details to the USA to fulfil its contract with the individual.
The customer of a UK credit-card issuer uses their card in Japan. It may be necessary for the card issuer to transfer some personal data to Japan to validate the card and/or reimburse the seller.
A UK-based internet trader sells furniture online. It makes it clear to customers that it is a retailer, not a manufacturer. Goods are delivered direct to the customer from the manufacturer. If a customer orders goods that are manufactured in Ukraine, the trader needs to transfer a delivery name and address to Ukraine to carry out the contract.
Substantial public interest
You can transfer personal data overseas where it is necessary for reasons of substantial public interest. This is a high threshold to meet and it is most likely to be relevant in areas such as preventing and detecting crime; national security; and collecting tax. Organisations intending to rely on this exemption should consider each case individually. The public interest must be that of the UK and not the third country to which the personal data is transferred.
You can transfer personal data overseas where it is necessary to protect the vital interests of the individual. This relates to matters of life and death.
A local health authority could transfer relevant medical records from the UK to another country where an individual had had a heart attack and their medical history was necessary to decide appropriate treatment.
You can transfer overseas part of the personal data on a public register, as long as the person you transfer to complies with any restrictions on access to or use of the information in the register.
The General Medical Council (GMC) can transfer extracts from its register of medical practitioners to respond to enquiries from outside the UK, but it is not allowed to transfer the complete register under this exemption. If the GMC puts conditions on inspecting the register in the UK, the person the extract is transferred to, and anyone they then pass it on to, must comply with these restrictions.
You can transfer personal data overseas where it is necessary:
in connection with any legal proceedings (including future proceedings not yet underway);
to get legal advice; or
to establish, exercise or defend legal rights.
A US parent company is sued by an employee of its UK subsidiary. Relevant employee information may be transferred to the US parent as it is required for the defence.
The legal proceedings do not have to involve you or the individual as a party and the legal rights do not have to be yours or the individual’s. Although this exemption could apply widely, transfers are only likely to fall under this category if they are connected with legal proceedings or getting legal advice.
Can I transfer personal data overseas if I get a request for it from the authorities outside the UK on the basis of the laws in their country?
No specific exemption routinely covers all such requests. However, in certain circumstances you will be able to send some personal data to the authorities or other parts of your own organisation in another country where the authorities in that country have requested it. How far you may do so will depend on the nature of the request. You will need to consider these cases carefully and you can ask us for advice.