What is an international transfer of personal information?

In detail

• Why are international transfers important?
• What is an international transfer of personal information?
• What are the transfer rules?

Why are international transfers important?

The UK GDPR applies to most organisations located in the United Kingdom.

We live in a data-driven world, and there are many reasons why you may need to transfer personal information to separate controllers or processors located outside the UK.

People risk losing the protection of UK data protection law if their personal information is transferred outside the UK.

As such, the UK GDPR contains rules about transfers of personal information to separate organisations located outside the UK. These ensure that people’s rights about their personal information are protected when their information is transferred outside the UK.

What is an international transfer of personal information? 

The UK GDPR contains rules about transfers of personal information to separate organisations outside the UK. These rules only apply if you’re making what we refer to as a ‘restricted transfer’.

When we talk about transfers to organisations in this guidance, this includes international organisations as defined in article 4(26) of the UK GDPR. Only a few organisations are likely to make transfers to international organisations.

The transfer rules apply to all types of organisations that handle personal information. We use ‘organisation’ in this guidance to refer to any legal entity that is a controller or processor of personal information, including sole traders and self-employed individuals.

We use ‘transfer’ in this guidance to refer to both:

• sending personal information to a separate organisation outside the UK; and
• making personal information accessible to a separate organisation outside the UK.

A transfer isn’t just about sending personal information. It can also mean making personal information accessible. For example, by allowing remote access to your systems.

A transfer is a restricted transfer if all of the following apply:

• the UK GDPR applies to your processing of the personal information you’re transferring;
• you’re initiating the transfer of personal information to an organisation located outside the UK; and
• the organisation receiving the personal information is a separate legal entity to you.

What if personal information is ‘in transit’ through another country?

Transfer doesn’t mean the same as transit. If personal information is just electronically routed through a country outside the UK, but the transfer is actually from one UK organisation to another, then it’s not a restricted transfer.

You must put in place appropriate security measures to prevent unauthorised access to the personal information while it is in transit.

What are the transfer rules?

If you’re making a restricted transfer, you must make sure that the transfer is covered by one of the following:

• UK adequacy regulations;
• appropriate safeguards; or
• an exception (called a “derogation” in the legislation).

If there aren’t any UK adequacy regulations, appropriate safeguards or an exception covering your restricted transfer, you must not make the transfer. If you do, you’re breaching the UK GDPR.

The UK GDPR transfer rules apply to all restricted transfers, even small, infrequent ones.

You must also ensure that you comply with the other requirements under the UK GDPR. See What are our other key UK GDPR obligations in the context of international transfers?