A guide to international transfers
Latest updates - last updated 13 October 2023
13 October 2023 - The list of adequate countries and territories has been updated to correct the omission of the Faroe Islands.
12 October 2023 - The list of adequate countries and territories has been updated following the UK Government making adequacy regulations for the UK Extension to EU-US Data Privacy Framework. We also added additional detail about the existing partial adequacy finding for Japan.
13 July 2023 - New link added in the adequacy section to guidance on the scope of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). This follows the European Commission removing its FAQs on the subject.
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR primarily applies to controllers and processors located in the United Kingdom, with some exceptions.
- People risk losing the protection of the UK data protection laws if their personal data is transferred outside the UK.
- On that basis, the UK GDPR contains rules about transfers of personal data to receivers located outside the UK. People’s rights about their personal data must be protected or one of a limited number of exceptions must apply.
- The transfer rules apply where the receiver is a separate controller or processor and legally distinct from the sender. The receiver can be a separate sole trader, partnership, company, public authority or other organisation, and includes separate companies in the same group.
- The transfer rules do not apply where the receiver is an employee of the sender, or the sender and receiver are part of the same legal entity, such as a company.
- We refer to a transfer of personal data to these receivers located outside the UK as a 'restricted transfer'.
Checklist
1. Are we planning to make a transfer of personal data outside the UK?
If no, you can make the transfer. If yes, go to Q2.
2. Do we need to make a restricted transfer of personal data in order to meet our purposes?
If no, you can make a transfer without any personal data. If yes, go to Q3.
3. Are there UK ‘adequacy regulations’ about the country or territory where the receiver is located or a sector which covers the receiver?
If yes, you can make the transfer. If no, go to Q4.
4. Are we putting in place one of the ‘appropriate safeguards’ referred to in the UK GDPR, such as the IDTA or Binding Corporate Rules?
If yes, go to Q5. If no, go to Q6.
5. Having carried out a risk assessment, are we satisfied that for the data subjects of the transferred data, the relevant protections under the UK data protection regime will not be undermined?
If yes, you can make the transfer. If no, go to Q6.
6. Does an exception provided for in the UK GDPR apply?
If yes, you can make the transfer. If no, you cannot make the transfer in accordance with the UK GDPR.
If you reach the end without finding a provision which permits the restricted transfer, you are unable to make that restricted transfer in accordance with the UK GDPR.
In brief
- What are the rules on international transfers of personal data?
- Are we making a restricted transfer of personal data?
- Do we need to make a restricted transfer?
- How do we make a restricted transfer in accordance with the UK GDPR?
- Question 1: Is the restricted transfer covered by ‘adequacy regulations’?
- Question 2: Is the restricted transfer covered by appropriate safeguards?
- Question 3: Is the restricted transfer covered by an exception?
What are the rules on international transfers of personal data?
The UK GDPR contains rules on the transfer of personal data to receivers located outside the UK, which are separate controllers or processors and legally distinct from you. These rules apply to all transfers, no matter the size of transfer or how often you carry them out.
We refer to a transfer of personal data to these receivers located outside the UK as a 'restricted transfer'.
Are we making a restricted transfer of personal data?
You are making a restricted transfer if:
- Firstly: the UK GDPR applies to your processing of the personal data you are transferring.
The scope of the UK data protection regime is set out in Articles 2 and 3 of the UK GDPR and section 207 DPA 2018. The UK data protection regime regulates the processing of personal data. (Please see What is personal data in our Guide to data protection for further information.)
If the UK GDPR applies to a controller or processor located outside the UK, then the rules on restricted transfers also apply to any transfer they make outside of the UK.
Example
An Australian retailer advertises and sells shoes to people in the UK via its website. Its processing of their data is governed by UK GDPR. It uses an Australian processor to run its website, and a UK logistics company to deliver the shoes.
There is no restricted transfer when personal data is sent to the Australian company by consumers in the UK buying the shoes, as those consumers are exempt from UK GDPR.
There is a restricted transfer from the Australian shoe company to its Australian processor, even if the data flows directly from the UK customers. The transfer of data has been initiated and agreed by the Australian shoe company and its processing of that data is governed by UK GDPR.
There is no restricted transfer to the UK logistics company, as it is in the UK.
- Secondly: you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK
Only the controller or processor who initiates and agrees to the transfer is responsible for complying with the UK GDPR rules on restricted transfers. They do not both need to comply with these particular UK GDPR rules on restricted transfers. Of course, they may have obligations under other parts of the UK GDPR.
This is not the same as a controller authorising a processor to appoint sub-processors. If you are a processor making a restricted transfer to a sub-processor located outside of the UK, you must comply with the transfer rules. You will have initiated and agreed to send the data to your sub-processor, often in the sub-processor agreement. The controller may have other obligations under UK GDPR about that data flow, but it is not responsible for complying with the transfer rules.
Often you will know you must comply with the transfer rules, as you will be entering into a contract with the receiver.
It is not a restricted transfer if you are sharing personal data under a contract with a UK service company, even if the data flows from yourself to that service company’s processor which is located outside the UK, for example. In that situation the restricted transfer may take place between the UK service company and its processor located outside the UK.
If the transfer rules do not apply to you, you still have other obligations under UK GDPR. You need to do some checks on any company that you share personal data with, in particular if it is your processor. The scope of those checks should be reasonable and proportionate to the risks posed by you sharing personal data with that company.
Example
A UK healthcare company enters into an agreement with a UK processor for data analytic services on its patient data. The analytics are carried out by a sub-processor located outside the UK. The data flows directly from the UK company to the overseas sub-processor.
The UK healthcare company does not need to comply with the transfer rules as the restricted transfer takes place between the UK processor and its sub-processor.
As part of its due diligence on the UK processor, the UK healthcare company asks for details about how the UK processor complies with the transfer rules. As it is health data being transferred, the UK healthcare company makes sure it understands the global data flows and the protections that have been put in place.
The UK processor is making a restricted transfer to its overseas sub-processor and must comply with the transfer rules. If its sub-processor was a branch of the UK processor, and so not a distinct legal entity, there would be no restricted transfer. This is because the branch is part of the UK legal entity.
If data is flowing from a UK processor to an overseas controller or processor, which is not its sub-processor, usually the UK processor’s controller is responsible for the restricted transfer, and it will have the contract with the receiver.
Example
A UK controller has two processors, the first is located in the UK and provides general HR services and the other is located in Mexico and provides HR analytics. The UK controller has a separate contract with each processor.
The UK controller instructs its UK processor to send certain data files to the Mexican processor.
The restricted transfer is between the UK controller and the Mexican processor.
International transfers match the complexity of global business. You may find yourself in a situation where a transfer has been arranged and initiated by the processor but it is not to its sub-processor. In that situation, it may be the processor who is responsible for complying with the rules of restricted transfers. You will need to consider the particular circumstances of these complex transfers.
Example
An international group, runs its UK business through a UK retail company (UK Retail Ltd) and its staff are employed by its UK services company (UK Services Ltd). Its centralised human resources service is provided by a US branch of the UK Retail Ltd (they are part of the same legal entity).
Depending on the particular circumstances, UK Services Ltd may be a joint controller or a processor of UK Retail Ltd.
UK Services Ltd decides to run its human resources services through the US branch (of UK Retail Ltd). If the contract is between UK Services Ltd and the US branch of UK Retail Ltd, this is a restricted transfer.
If the contract is between the UK Services Ltd and UK Retail Ltd, this is not a restricted transfer. In that situation, UK Retail Ltd still needs to consider how it manages risks to the personal data due to the flow of data to its US branch, in its compliance with the other parts of UK GDPR.
Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.
Example
Personal data is transferred from a UK controller to another controller in the UK, but happens to be routed via several other countries. There is no intention that the personal data will be accessed or manipulated while it is in those other countries. Therefore, there is no restricted transfer.
You are also making a restricted transfer if you collect information about people on paper, which is not ordered or structured in any way, and you send this to a service company located outside of the UK, to:
- put into digital form; or
- add to a highly structured manual filing system about individual people.
Example
A UK insurance broker sends a set of notes about individual customers to a company outside the UK. These notes are handwritten and are not stored on computer or in any particular order. The non-UK company adds the notes to a computer customer management system. This is a restricted transfer.
Making data accessible to a separate controller or processor located outside the UK will result in a restricted transfer. This could be by allowing remote access to your systems or by putting personal data on to a website. The restricted transfer takes place when someone (who is part of a legally distinct controller or processor) outside the UK accesses that personal data on your systems or via the website.
Example
A UK business enters into an IT support contract with an Indian company. The data remains on the UK business’s servers (in the UK), but is accessed by the IT support team located in India.
Access to this data by the Indian company is a restricted transfer.
- Thirdly: the receiver is a separate controller or processor, and is legally distinct from you.
It may be a separate sole trader, partnership, company, public authority or other organisation. This includes transfers to another company within the same corporate group.
However, if you are sending personal data to someone employed by you or by the same employer as you (so within the same legal entity), this is not a restricted transfer.
Example
A UK company uses a centralised human resources service in the US provided by its US parent company. The UK company passes information about its employees to its US parent company in connection with the HR service. This is a restricted transfer.
Example
A UK company sells holidays in Australia. It sends the personal data of customers who have bought the holidays to the Australian hotels they have chosen in order to secure their bookings. This is a restricted transfer.
What if I am a processor, but my controller is outside the UK?
If you are a processor, it is never a restricted transfer when you send or return data to your controller (provided it is your controller of that same data).
This data flow is the responsibility of the controller, as it must always have been initiated and agreed by them, probably in your processor agreement. This means it cannot be a restricted transfer as it would be a transfer within the same legal entity (i.e. from the controller back to the same controller).
You are responsible for complying with the transfer rules if you have initiated and agreed to the data flow, usually to your sub-processors.
If your controller has initiated and agreed the transfer, then it is the controller who is responsible for complying with the transfer rules. This usually happens when the data flow is from you to another controller or a separate processor. If the UK GDPR does not apply to the controller, then the UK GDPR transfer rules do not apply at all.
Example
A Bolivian company uses a UK processor to store and manage its customer database. Under its processor agreement, the UK processor is instructed to send reports containing personal data directly to the Bolivian company’s parent company in Argentina. This is not a restricted transfer, as it has been initiated and agreed by the Bolivian company.
If the Bolivian company instructs the UK processor to return all the personal data back to it, there is no restricted transfer.
If the Bolivian company instructs the UK processor to forward all the personal data to a new replacement processor also located in Bolivia, then there is no restricted transfer by the UK processor.
But, if UK GDPR applies to the Bolivian company about the processing of its customer database, then there is a restricted transfer between the Bolivian company and its Argentinian parent company, and between the Bolivian company and its new replacement processor located in Bolivia.
Further reading - ICO guidance
Do we need to make a restricted transfer?
Before making a restricted transfer you should consider whether you can achieve your aims without actually sending personal data.
If you make the data anonymous so that it is never possible to identify individuals, it is not personal data. If this is the case, then the restrictions do not apply and you are free to transfer the anonymised data outside the UK.
Further reading
How do we make a restricted transfer in accordance with the UK GDPR?
You must work through the following questions, in order.
If by the last question, you are still unable to make the restricted transfer, then you will be in breach of UK GDPR if you go ahead.
Question 1: Is the restricted transfer covered by ‘adequacy regulations’?
You may make a restricted transfer if the receiver is located in a third country or territory, or is an international organisation, or in a particular sector in a country or territory, covered by UK 'adequacy regulations'.
UK adequacy regulations set out in law that the legal framework in that country, territory, or international organisation, or in a particular sector in a country or territory, has been assessed as providing ‘adequate’ protection for people’s rights and freedoms about their personal data.
1) What countries or territories are covered by adequacy regulations?
The UK has adequacy regulations about the following countries and territories:
- The European Economic Area (EEA) countries;
These are the EU member states and the EFTA States.
The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
The EFTA states are Iceland, Norway and Liechtenstein.
- EU or EEA institutions, bodies, offices or agencies;
- Gibraltar;
- The Republic of Korea; and
- Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020).
These include a full finding of adequacy about the following countries and territories:
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
In addition, the partial findings of adequacy about:
- Canada – only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. Please read the guidance on the scope of PIPEDA from the Office of the Privacy Commissioner of Canada for further information
- Japan – only covers personal data transferred to private sector organisations subject to Japan’s Act on the Protection of Personal Information. This does not include transfers of the types listed in the EU’s adequacy decision for Japan.
- The United States of America – only covers data which is transferred under the UK Extension to the EU-US Data Privacy Framework. You can find more information about the UK Extension, including a factsheet for UK organisations, on gov.uk and on the US Department of Commerce’s Data Privacy Framework Program website.
In August 2021, the UK Government announced that it is working in partnership with a number of priority destinations which may be the subject of adequacy regulations in the future, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya and Singapore.
The ICO’s role in assisting the Department for Science, Innovation and Technology (previously the Department for Digital, Culture, Media and Sport) with this work is set out in a Memorandum of Understanding between the two authorities. Any future adequacy regulations will be finalised in accordance with this Memorandum and issued by the UK Government.
2) What if there is no adequacy decision?
You should move on to Question 2 Is the restricted transfer covered by appropriate safeguards?
Question 2: Is the restricted transfer covered by appropriate safeguards?
If there are no UK adequacy regulations about the country, territory, international organisation, or particular sector in a country or territory for your restricted transfer, you should then find out whether you can make the transfer subject to 'appropriate safeguards'.
There is a list of appropriate safeguards in Article 46 of the UK GDPR. Each ensures that both you and the receiver of the restricted transfer are legally required to protect people’s rights and freedoms about their personal data. We refer to these as Article 46 transfer mechanisms. A description of each Article 46 transfer mechanism is set out below.
Have you undertaken a transfer risk assessment?
Before you may rely on an Article 46 transfer mechanism to make a restricted transfer, you must be satisfied that the relevant protections in the UK GDPR are not undermined for people whose data is transferred.
You should do this by undertaking a risk assessment, which takes into account the protections contained in your selected Article 46 transfer mechanism and the protection afforded to data subjects in the destination country.
If your assessment is that the Article 46 transfer mechanism does not provide the required level of protection, before making the transfer you must take extra steps and protections so that it does provide the right level of protection.
This assessment is undoubtedly complex in many situations.
We have specific guidance on transfer risk assessments (TRAs), and a TRA Tool.
Further reading
The European Data Protection Board (EDPB) has adopted recommendations on measures that supplement transfer tools. The recommendations apply to the EU GDPR transfer regime, and are included here only as a useful reference about additional measures. We will issue our own guidance on this topic in due course.
ICO guidance on transfer risk assessments (TRAs), and the ICO TRA Tool.
A description of each Article 46 transfer mechanism is set out below:
1. A legally binding and enforceable instrument between public authorities or bodies
You can make a restricted transfer if it is covered by a legal instrument between public authorities or bodies containing ‘appropriate safeguards’. The appropriate safeguards must include enforceable rights and effective remedies for people whose personal data is transferred.
This agreement or legal instrument could also be entered into with an international organisation.
The sender of the data does not need to be a party to this legal instrument, nor does it need to be a public authority, provided that the appropriate safeguards in the legal instrument apply to the transferred data.
2. UK Binding corporate rules (UK BCRs)
The concept of using BCRs to provide appropriate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, specifically Article 47.
BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For further information on UK BCRs please visit our ‘Guide to Binding Corporate Rules’.
3. Standard data protection clauses
You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with UK data protection law.
Standard data protection clauses impose contractual obligations on the sender and the receiver, and grant rights to people whose personal data is transferred. People must be able to directly enforce those rights against the sender or receiver, or both.
We have issued two sets of standard data protection clauses for restricted transfers which you can use as your 'appropriate mechanism' under UK GDPR:
- our International Data Transfer Agreement (IDTA); and
- an International Data Transfer Addendum (Addendum) – this is an addendum to the new standard contractual clauses issued by the European Commission under the EU GDPR on 04 June 2021 (new EU SCCs). The new EU SCCs are not valid for restricted transfers under UK GDPR on their own but using the Addendum allows you to rely on the new EU SCCs for your transfers under UK GDPR.
The IDTA and Addendum were laid before Parliament on 2 February 2022 and came into force on 21 March 2022.
If you entered into the old EU standard contractual clauses issued by the European Commission under the old Data Protection Directive (the old EU SCCs), prior to 21 September 2022, these old EU SCCs will continue to be valid for restricted transfers under the UK regime, but only until 21 March 2024 (see more on this below).
From 21 March 2024, if your restricted transfers continue, you must enter into a new contract on the basis of the IDTA or the Addendum or find another way to make the restricted transfer under the UK GDPR.
When you are entering into a contract on the basis of the IDTA or the Addendum, you must carry out a transfer risk assessment (see above).
Example
A family in the UK books a holiday in Australia with a UK travel company. The UK travel company sends details of the booking to the Australian hotel.
The travel company and the hotel are separate controllers, as they are processing the personal data for their own purposes and making their own decisions.
The UK travel company and the hotel should enter into the IDTA or the Addendum.
The UK travel company must also undertake a transfer risk assessment. If necessary, they should also take extra steps and put in place extra protections to ensure that the family’s relevant rights under the UK data protection regime, are not undermined.
The IDTA or Addendum and the transfer risk assessment may cover all similar restricted transfers between the UK travel company and the Australian hotel, and not just the transfer of the family’s data.
If you are making a restricted transfer from a controller to a processor, you also need to comply with the UK GDPR requirements about using processors.
4. An approved code of conduct
You can make a restricted transfer, if the receiver has signed up to a code of conduct, which has been approved by us. The code of conduct must include appropriate safeguards to protect the rights of people whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.
The UK GDPR endorses the use of approved codes of conduct to demonstrate compliance with its requirements.
The transfer risk assessment may be built into the code of conduct, or it can be carried out by the sender prior to it making a restricted transfer to the receiver.
We are actively working with various sector bodies and associations to review proposed codes of conduct. We will publish further information once we have approved any codes of conduct.
Further reading
The European Data Protection Board (EDPB) has published guidance on codes of conduct. This applies to the EU GDPR, and is included here as a useful reference. We will issue our own guidance on this topic in due course.
5. Certification under an approved certification scheme
You can make a restricted transfer if the receiver has a certification, under a scheme approved by us. The certification scheme must include appropriate safeguards to protect the rights of people whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.
The UK GDPR also endorses the use of approved certification mechanisms to demonstrate compliance with its requirements.
The transfer risk assessment may be built into the certification scheme, or it can be carried out by the sender prior to it making a restricted transfer to the receiver.
We will publish further information once we have approved any certification schemes.
6. Contractual clauses authorised by the ICO
You can make a restricted transfer if the sender and the receiver have entered into a bespoke contract governing a specific restricted transfer, and that contract has been individually authorised by us for that restricted transfer.
There may still be a requirement for separate transfer risk assessments, depending on the form and content of the bespoke contract.
7. Administrative arrangements between public authorities or bodies
You can make a restricted transfer if it is covered by an administrative arrangement between public authorities or bodies (usually a document, such as a memorandum of understanding).
This administrative arrangement must set out ‘appropriate safeguards’ for the rights of people whose personal data is to be transferred. The appropriate safeguards must include effective and enforceable rights for the people whose personal data is transferred.
The administrative arrangement must be individually authorised by us, and there may still be a requirement for separate transfer risk assessments, depending on the form and content of the administrative arrangement.
Question 3 Is the restricted transfer covered by an exception?
You can go ahead with a restricted transfer, if you need to send the personal data because:
- there is an emergency situation;
- someone’s life, physical or mental health or wellbeing is at serious risk; and
- you cannot obtain the consent of the person the data to be transferred is about, because they are unable to give their consent.
This includes an urgent need for life sustaining food, water, clothing or shelter. (See below for more information on the vital interests exception).
If you are making a restricted transfer that is not covered by UK adequacy regulations, it may be covered by one of the eight exceptions set out in Article 49 of the UK GDPR.
The eight exceptions are:
- You have the explicit consent of the person the transferring data is about.
- You have a contract with the person the transferring data is about, and the restricted transfer is necessary so you can carry out your obligations in that contract. Or, the restricted transfer is necessary so you can carry out pre-contract steps as requested by that person.
- The restricted transfer is necessary for you to enter into a contract or to carry out your obligations under a contract. And that contract benefits the person the transferring data is about. (In this case the contract is not with that person).
- The restricted transfer is necessary for important reasons of public interest.
- The restricted transfer is necessary to establish whether you or someone else has a legal claim or defence, to make a legal claim or to defend a legal claim.
- The restricted transfer is necessary to protect someone’s vital interests – this may or may not be the person the transferring data is about. To use this exception the person the transferring data is about must be physically or legally incapable of giving their consent to the restricted transfer.
- The restricted transfer is from a public register and meets the relevant legal requirements relating to access to that public register.
- The restricted transfer is a one-off transfer which is necessary to meet your compelling legitimate interests.
Exceptions 2, 3, 4, 5, 6 and 8 contain the word ‘necessary’. This does not mean that the transfer has to be absolutely essential. However, it must be more than just useful and standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The exception does not apply if you can reasonably achieve the same purpose by some other means.
It is not enough to argue that the transfer is necessary because you have chosen to operate your business in a particular way. The question is whether the transfer is objectively necessary and proportionate for the stated purpose, not whether it is a necessary part of your chosen methods.
Because the exception must be both necessary and proportionate, you can take into account:
- the reason why the transfer is needed;
- the alternatives available;
- the protections which will be in place; and
- the potential harm to people.
We will explain how you can do this in more detail below.
Exception 1: Do you have explicit consent for the restricted transfer from the person the transferring data is about?
As a valid consent must be both specific and informed, you must provide people with precise details about the specific restricted transfer. You cannot obtain a valid consent for restricted transfers in general.
You should tell people:
- the identity of the receiver, or the categories of receiver;
- the country or countries to which the data is to be transferred;
- why you need to make a restricted transfer;
- the type of data to be transferred;
- that they are able to withdraw consent; and
- importantly, the possible risks involved in making a transfer to a country which does not provide adequate protection for personal data and without any other appropriate safeguards in place.
Public authorities cannot rely on this exception when exercising their public powers.
You may wish to rely on this exception, if you are also putting in place an Article 46 transfer mechanism. This may be the case if, from your transfer risk assessment, you decide the Article 46 transfer mechanism does not provide appropriate safeguards for all risks. In that case, to obtain a valid consent you still need to set out the above information, but only cover the risks which are not sufficiently safeguarded by the Article 46 transfer mechanism.
Example
You intend to enter into the IDTA with the receiver of personal data in another country. You have completed your transfer risk assessment and have identified that there are risks which may not be sufficiently protected.
You decide to still put in place the IDTA, as it contains many useful protections, and ask the person whose person data is being transferred to give their explicit consent to the restricted transfer, setting out the detail of only those risks which the TRA identified as not being sufficiently protected.
Exceptions 2-8: Things to consider before using these exceptions
Relationship with Article 46
For exceptions 2 to 6 and 8 set out below, you must first consider if it is more reasonable and proportionate to put in place an Article 46 transfer mechanism than rely on an exception. This is so that you can meet the requirement to show the transfer is necessary and proportionate for the specific exception.
You may also want to rely on an exception in situations where you have an Article 46 transfer mechanism in place (as discussed above in relation to Exception 1). This is the case if from your transfer risk assessment, you decided that the transfer mechanism provides appropriate safeguards for some, but not all, of the risks to data. You then only need an exception for the data that is not sufficiently safeguarded.
What does necessary and proportionate mean in the context of exceptions 2 to 6 and 8?
There are a number of factors you must consider here. You must always be aware that if you rely on an exception, there is a danger that the data will lose all protection once it has been transferred. This risk can be reduced if there are other protections in place, and this will help to make relying on the exception more proportionate. This could be an Article 46 transfer mechanism, that after the transfer risk assessment you decided did not provide sufficient safeguards for all risks.
The questions below will help you decide whether the transfer is necessary and proportionate.
What are the specific circumstances of the restricted transfer?
It is important that the first thing you do is map out the data flows and record the specific circumstances of the restricted transfer, including details of any protection that is in place for the data. You need this information in order to answer the questions below.
Consider and document the following (to the extent not already documented as part of a separate transfer risk assessment):
- Is there an Article 46 transfer mechanism in place for any of the data? (If there is, you should have carried out a transfer risk assessment in relation to this Article 46 transfer mechanism and identified whether there is a residual risk that some or all of the data will not be sufficiently safeguarded.)
- Who is the data going to? What kind of organisation is the receiver (eg a public regulator like the ICO, an IT company, a parent or service company in your group)? Is the receiver a controller, joint controller, processor or sub-processor?
- Where is the receiver located?
- Will the receiver send on the data to any other organisations? If so, what kind of organisation are they and where are they located?
- Why are you making the transfer? What will the receiver be doing with the data? If the data is going to be sent on to other organisations, what will they be doing with the data?
- If you have carried out a transfer risk assessment, what risks have you identified as not being sufficiently safeguarded by the Article 46 transfer mechanism?
- Who is the data about? Set out the categories of data subject (eg customers, employees or business contacts).
- What type(s) of data are you transferring, and does it include any special categories of personal data, or other more sensitive types of data such as financial transaction data, location data or confidential records?
- Are there protections for the data because of the type of organisation or person the receiver is? Does the receiver have to comply with professional rules or other rules which apply in addition to the general legal regime of the destination country (eg if the importer is a law firm, then it may be subject to rules of professional conduct or rules of privilege)?
- Are there any other contractual protections (eg a confidentiality agreement)?
- What technological and organisational security measures will the receiver have in place to protect the data (eg is the data pseudonymised? Is it encrypted?)?
- What is the format of the transferred data (eg plain text)?
- How are you sending the data (eg are you transmitting it by email, website encryption or secure file transfer protocol (SFTP))? Or does it involve remote access to data stored in the UK?
- For how long can the receiver access the data?
- How often will these transfers occur?
- How much personal data are you transferring?
Do you need to make the transfer to meet the purpose set out in the exception you identified?
Ask if it is possible to achieve the purpose set out in the exception, without making the restricted transfer – in other words is it necessary?
Is it proportionate to make the transfer to meet the purpose set out in the exception you identified?
There are two aspects to proportionality:
- When thinking about the alternative options available to you to meet your purpose, consider whether it is more proportionate to use one of those options or make the restricted transfer.
More likely to be proportionate to make the restricted transfer | Less likely to be proportionate to make the restricted transfer |
---|---|
Alternative option is significantly higher cost | Alternative option is around the same cost |
Alternative option is significantly less beneficial to people | Alternative option is similarly or more beneficial to people |
There is a higher risk of harm to people if the alternative option is used | There is a similar or lower risk of harm to people if the alternative option is used |
- Consider whether it is more proportionate to put in place an Article 46 transfer mechanism for some, or all of the data instead of using an exception:
More likely to be proportionate to rely on the exception | Less likely to be proportionate to rely on the exception |
---|---|
Occasional transfers | Regular and predictable transfers, or systematic transfers |
Lower volume of data | Higher volume of data |
Low risk of harm to people once personal data is transferred | Higher risk of harm to people once personal data is transferred |
Other protections for the personal data are available if it is transferred | No other known protections for the personal data if it is transferred |
If it is more proportionate to put an Article 46 transfer mechanism in place, then you should do so.
If it is not necessary and proportionate to rely on the exception to make the restricted transfer, then you need to either:
- obtain explicit consent (under exception 1); or
- put in place an Article 46 transfer mechanism (with a transfer risk assessment which confirms the Article 46 transfer mechanism provides appropriate safeguards for your particular transfer).
Exceptions 2-8: Meaning and scope
Exception 2
If you have a contract with the person the transferring data is about, or you are about to enter into a contract with that person, and you need to make the restricted transfer either:
- so you can carry out your obligations in the contract; or
- so you can carry out pre-contract steps requested by the that person.
You need to make the restricted transfer for the core purpose of the contract or of the pre-contract steps.
Public authorities cannot rely on this exception when exercising their public powers.
Examples
A UK travel company offering bespoke travel arrangements relies on this exception to send personal data to a hotel in Peru. It does this because it does not routinely arrange for its customers to stay at that hotel. If it did, it should consider using an appropriate safeguard, such as the IDTA or Addendum.
It is only necessary and proportionate to send limited personal data for this purpose, such as the name of the customer, the room required and the length of stay.
Before the travel package is confirmed (and the UK travel company enters into a contract with the customer), the customer wishes to reserve a room in the Peruvian hotel. The UK travel company has to send the Peruvian hotel the name of the customer in order to hold the room. The UK travel company does not routinely arrange for its customers to stay at this hotel. The customer wishes to reserve the room and in order to do this their data must be sent to the hotel before the contact is concluded. This is a pre-contract step at the request of the customer, who the transferring data is about.
A UK events company routinely sends personal data to a conference centre outside the UK, and intends to put in place an IDTA. When it carries out its transfer risk assessment, it has concerns that the data will not have appropriate safeguards in that country. The UK events company enters into the IDTA. In the circumstances, including the fact the IDTA provides some protection, the restricted transfer is necessary and proportionate for the performance of its contracts with the customers.
Exception 3
If you have or are about to enter into a contract which is NOT with the person who the transferring data is about, but the contract is for their benefit or in their interests, and you need to make the restricted transfer either:
- so you can carry out your obligations in the contract. These obligations must be for the core purpose of the contract; or
- so you can enter into that contract.
Public authorities cannot rely on this exception when exercising their public powers.
You may rely on both exceptions 2 and 3:
- exception 2 for the personal data of the person entering into the contract; and
- exception 3 for the personal data of other people benefiting from that contract, often family members.
Exceptions 2 and 3 are not identical. You cannot rely on exception 3 for restricted transfers needed for steps required prior to entering into the contract.
Example
Following on from the previous example. The customer is buying the travel package to Peru for both themselves and their family. Once they have bought the package with the UK travel company, it may be necessary for the UK travel company to send the names of the family members to the Peruvian hotel in order to book the rooms.
This is a restricted transfer that is necessary for the UK travel company to carry out its obligations in its contract with the customer, and which is for the benefit of the other family members.
Exception 4
You need to make the restricted transfer for important reasons of public interest.
The relevant public interest must be a public interest that is recognised in UK law.
This does not include international treaties or agreements but it does include any UK law made to give effect to an international agreement or treaty.
You may need assistance from a legal professional. You are looking for a law which expressly or by implication, recognises this activity as something that should or could be done, and is in the public interest.
Both public and private organisations can rely on this exception.
Examples when this exception may arise include:
- international data exchange between competition authorities, tax or customs administrations;
- between financial supervisory authorities for their regulatory functions;
- between public authorities dealing with social security matters; and
- for public health (eg contact tracing for contagious diseases or in order to reduce or eliminate doping in sport or both).
A very specific example is set out in the letter we sent to the US Securities Exchange Commission (SEC), about transferring data from UK financial services companies that are regulated by the SEC. Please note that this was written under EU GDPR and our guidance on the exceptions has been updated for UK GDPR.
Exception 5
You need to make the restricted transfer to establish if you or someone else has a legal claim or defence, or to make or defend a legal claim.
There must be a close connection between the need for the personal data to be transferred and the legal claim.
The claim must be a legal claim but it could apply to:
- a claim that would be brought and defended in a court (including civil and criminal law);
- a claim that would be brought and defended in a tribunal (eg an employment tribunal);
- administrative or regulatory procedures (eg to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger; or
- an out-of-court procedure (eg without prejudice meetings, mediation or arbitration).
The exception does not require that proceedings have started or formal steps have been taken by an administrative or regulatory body. But you cannot rely on this exception if there is only the possibility that a legal claim or other formal proceedings may be brought in the future.
The exception applies if you or another person involved in the legal claim:
- are engaged in pre-action correspondence;
- are taking advice about the legal risk in bringing or defending a claim;
- have received a request for information from an overseas regulator with a view to it potentially taking formal action.
Both public and private organisations can rely on this exception.
You need to make the restricted transfer to protect a person’s vital interests.
This may or may not be the person the transferring data is about. But it must not be possible for that person to give their consent.
Vital interests covers the situation when someone’s life, or their physical or mental health or wellbeing is at urgent and serious risk. This includes an urgent need for life-sustaining food, water, clothing or shelter.
Please see vital interests in our Guide to data protection for further information.
It may or may not be the person who the transferring data is about whose vital interests are at risk but it must not be possible for the person to give their consent. This may be because it is not physically or legally possible. For example:
- The person is unconscious.
- You are not able to contact the person. And, given the circumstances, you have taken reasonable and proportionate steps to try and contact them. In an emergency, it can be reasonable and proportionate not to even try and contact them.
- You do not have time to provide the person with all the information needed for their explicit consent.
- The person is not capable of understanding all the information needed for their explicit consent.
The risk to a person’s vital interests must outweigh any data protection concerns. Accordingly, it is not possible to rely on this exception for general medical research.
Both public and private organisations can rely on this exception.
Example
A UK citizen is in a coma in the US and data about their medical history needs to be transferred to the US hospital for their essential medical treatment. This exception applies.
If the UK citizen is awake, is capable of giving explicit consent, and there is time for you to do so, then you cannot rely on this exception.
If the US hospital needs information about the UK citizen’s family history from their mother in the UK, and the mother has severe dementia, this exception applies as the mother is incapable of giving consent.
Exception 7
You are making the restricted transfer from a public register.
The register must be created under UK law and must be open to either:
- the public in general; or
- any person who can demonstrate a legitimate interest.
For example, registers of companies, associations, land registers or public vehicle registers.
The greater the volume of the public register that is being transferred, the less likely the restricted transfer is to be proportionate. It is unlikely to be proportionate to make the restricted transfer if the whole of the public register, or a whole set of one of the categories of personal data on the public register, is to be transferred.
The transfer must comply with the UK laws which apply to consultations and disclosures from that public register.
If by law access to the register is only given to those with a legitimate interest, part of that assessment must take into account that it is being sent to a country with less protection for the people the transferring data is about.
Private companies who create and hold registers cannot rely on this exception (eg credit reference databases).
Exception 8
You are making a one-off restricted transfer and it is in your compelling legitimate interests.
You should not rely on this exception lightly, and never routinely, as it is only for truly exceptional circumstances.
Public authorities cannot rely on this exception when exercising their public powers.
For this exception to apply to your restricted transfer all of the following must apply:
- You are unable to use any of the Article 46 transfer mechanisms. You must give serious consideration to this, even if it would involve significant investment from you.
- None of the other exceptions apply. Again, you must give serious consideration to the other exceptions. For example, it may be that you can obtain explicit consent with some effort or investment.
- Your transfer must not be repetitive. It may happen more than once but must not be regular and predictable, and must not be systematic.
- The personal data must only relate to a limited number of people. There is no absolute threshold for this. The number of people involved should be part of the balancing exercise you undertake in point 6 below.
- The transfer must be necessary for your compelling legitimate interests. Please see legitimate interests as a lawful basis for processing in the Guide to data protection, but bear in mind that this exception requires a higher standard. It must be a compelling legitimate interest. There must be serious consequences to you, if you are unable to make the restricted transfer, or very significant benefits if you do make the restricted transfer.
For example, a transfer of personal data to protect a company’s IT systems from serious immediate harm. - On balance, your compelling legitimate interests outweigh people’s rights and freedoms. You must balance:
- the serious consequences to you if you are unable to make the restricted transfer, or the very significant benefits if you do make it; against
- the risk of harm to people as a result of making the restricted transfer.
- You have made a full assessment of the circumstances surrounding the transfer and provided suitable safeguards to protect the personal data.
Suitable safeguards might be:
- an Article 46 transfer mechanism that, following your transfer risk assessment, does not provide sufficient safeguards for all the risks;
- a strict confidentiality agreement;
- a legal requirement for data to be deleted soon after transfer;
- technical controls to prevent the use of the data for other purposes, or to automatically delete the data soon after transfer; or
- sending pseudonymised or encrypted data.
You must record this in full in your documentation of your processing activities.
- You have informed the person the transferring data is about, explaining the restricted transfer and why your compelling legitimate interest outweighs any risk of harm to them.
- You have informed the ICO about the transfer. We will ask to see full details of all the steps you have taken, as set out above. If we do not agree with your assessment, we may advise you that to make the restricted transfer would breach the UK GDPR transfer rules, and we will consider if it is appropriate for us to use our regulatory powers.
Further reading
The European Data Protection Board (EDPB) adopted Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679. These guidelines apply to the EU GDPR transfer regime, and are included only as a useful reference