International transfers
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
On this page you’ll find guidance you need to support your international transfers of personal information. It’s suitable for all types of organisation.
Brief guidance
A brief guide to international transfers
The rules about transferring personal information to other countries – including checklists to help you identify and make a 'restricted transfer'.
Detailed guidance
A guide to international transfers
The rules about transferring personal information to other countries – when the rules about transferring information to other countries apply, how to make what we call a 'restricted transfer', and who has responsibility for complying with the rules.
Adequacy regulations
Guidance on adequacy regulations and when they apply – including a list of current UK adequacy regulations. There’s also specific information on the UK’s adequacy regulations for the US (the UK Extension), with checklists to help you comply.
Appropriate safeguards
Guidance on the safeguards permitted under UK GDPR, including the UK IDTA, Addendum and UK BCRs, and when they become appropriate safeguards for restricted transfer of personal information. Previous content on IDTAs and BCRs has been moved here.
Completing a transfer risk assessment
Guidance on what a transfer risk assessment (TRA) is, when you need a TRA, and how to complete one. A TRA is now referred to in UK legislation as a “data protection test” but we still use the term ‘transfer risk assessment’ and TRA in our guidance.
Using an exception
Guidance on the exceptions from the rules on restricted transfers (called “derogations” in the legislation) and when you can use them.
Receiving personal information from the EEA
Guidance about receiving personal information from the EEA – including the EU adequacy decisions for the UK and information to help navigate the UK and EU data protection regimes. It replaces our previous guidance on Data protection and the EU.
Resources
Glossary
A list of frequently used terms or phrases used in this guidance and their definitions.
Quick reference FAQs
Answers to some of the questions we're asked about most often about restricted transfers.
Contact
If you have any feedback or comments on this guidance, please let us know at [email protected]. This inbox is not monitored for queries about your specific transfers. If you have a specific query, please check our Contact us page to find the right advice service.