Quick reference FAQs
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Here we address some of the questions we’re asked most often about restricted transfers. For more information, please refer to our detailed guides.
Do we need to make a restricted transfer?
Before making a restricted transfer, you should check if you can achieve your aims without actually sending (or allowing access) to personal information to an organisation located outside the UK.
For example, you could consider whether you can anonymise the personal information before transferring it. If you can make it anonymous so that it’s never possible to identify people, it’s no longer personal information and the UK GDPR doesn’t apply.
Is it still a restricted transfer if we’re only making a one-off transfer of a small amount of personal information?
Yes. The rules apply to all restricted transfers, even small, infrequent ones.
Is personal information in ‘transit’ through another country a restricted transfer?
Transfer does not mean the same as transit. If personal information is just electronically routed through a country outside the UK, but the transfer is actually between two UK-based organisations, then it’s not a restricted transfer.
You must put in place appropriate security measures to prevent unauthorised access to the personal information while it’s in transit.
Is allowing an organisation outside the UK access to our systems considered a restricted transfer?
Yes. A restricted transfer isn’t just about sending personal information. It can also mean making personal information accessible. For example, if you allow an organisation located outside the UK remote access to personal information held on your systems in the UK.
A restricted transfer takes place when an organisation located outside the UK accesses the information. At the point you make the information accessible, you must ensure any restricted transfer that may take place is covered by the one of the transfer mechanisms (ie adequacy regulations, appropriate safeguards or an exception).
Are we making a restricted transfer if we’re transferring personal information to one of our employees in another country?
If you’re an organisation based in the UK and you send personal information to another employee in the same organisation when they’re outside the UK, it’s not a restricted transfer.
It’s also not a restricted transfer if one of your employees uses their work device to access your UK systems whilst they’re outside the UK.
This is because you and your recipient are part of the same legal entity.
If you allow your employees to receive or access personal information while they're in another country, you must put in place appropriate security measures to prevent unauthorised access to the personal information.
Is returning personal information to our controller outside the UK a restricted transfer?
If you’re a UK processor and your controller is located outside the UK, you’re not making a restricted transfer when you transfer information to your controller as long as you’re:
- only handling the personal information as a processor under the instructions of your controller; or
- transferring the personal information to the same controller that instructed you to do the processing.
This is not a restricted transfer because you’re not initiating the transfer.
Is sending someone their own personal information a restricted transfer?
No. You’re not making a restricted transfer if you’re sending someone outside the UK their own personal information. The UK GDPR doesn’t apply in this situation because the person receiving the information isn’t a controller or processor.
Do the transfer rules apply to the use of cloud services?
If you’re contracting with a UK-based cloud service provider (CSP), you’re not making a restricted transfer by using its cloud services.
If you’re contracting with a CSP based outside the UK, it’s very likely that you’re making a restricted transfer by using the CSP.
The nature of cloud services means that the CSP is initiating transfers of information. If the UK GDPR applies to the CSP, it must comply with the transfer rules.
If you receive personal information from an organisation outside the UK, this is not a restricted transfer under the UK GDPR.
Even if the UK GDPR applies to the organisation sending the information, it’s not transferring that information to a recipient outside the UK.
Are there any countries that we can’t transfer personal information to?
There aren’t any countries that you’re not able to transfer personal information to under UK law. However, you must always:
- follow the rules on international transfers; and
- consider the risks involved in sending personal information to a particular recipient in a specific country outside the UK.
When do we need to complete a transfer risk assessment?
You only need to complete a transfer risk assessment (TRA) when you’re using a safeguard to make your restricted transfer.
You don’t need to complete a TRA if you rely on adequacy regulations or an exception to make a restricted transfer. However, you should still make reasonable and proportionate checks that the recipient will comply with its data protection obligations under local data protection laws.
Do adequacy regulations cover all restricted transfers to a specific country?
Adequacy regulations create ‘full adequacy’ or ‘partial adequacy’ for a specified country (or territory or sector in a country). Before relying on adequacy regulations, you must check the scope of the regulations to ensure they cover the personal information you’re transferring.