Receiving personal information from the EEA
Latest updates – last updated 15 January 2026
15 January 2026 – This guidance replaces our previous guidance on Data protection and the EU. This dated from when the UK left the EU and was located separately from our core guidance on international transfers. We’ve removed outdated information and rebranded the guidance as ‘Receiving personal information from the EEA’. It’s now located with our other transfers guidance. We’ve also updated the information on the European Commission’s renewed adequacy decisions for the UK.
About this guidance
This guidance discusses receiving personal information from the European Economic Area (EEA), and the UK’s adequacy decisions from the European Union (EU). It is aimed at Data Protection Officers (DPOs) and those with specific data protection responsibilities.
The guidance provides some examples to help illustrate how the legislation might apply in practice. However, we don't address every aspect of regulatory compliance that applies to you.
It is particularly relevant to UK businesses and organisations that:
- operate inside the EEA;
- target customers based in the EEA; or
- monitor the behaviour of people in the EEA.
The EEA includes the EU countries and Iceland, Liechtenstein and Norway. When we use ‘EEA’ in this guidance, we mean all these countries.
The UK has adequacy decisions from the EU under:
- the EU General Data Protection Regulation (EU GDPR) for general processing; and
- the Law Enforcement Directive (LED) for processing for law enforcement purposes.
These adequacy decisions apply to organisations in all EEA countries. They allow personal information to flow from the EEA to the UK without the need for additional safeguards.
In detail
- What are the EEA countries
- What is ‘adequacy’?
- Does the UK have adequacy decisions from the EU?
- What does the EU GDPR adequacy decision for the UK say?
- What does the LED adequacy decision for the UK say?
- What can we do to help us navigate the UK and EU data protection regimes?
- Do we need a European representative?
- Do we need a UK representative?
What are the EEA countries?
The EEA includes the EU countries and Iceland, Liechtenstein and Norway.
The EU countries are:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
What is ‘adequacy’?
‘Adequacy’ is the term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an “essentially equivalent” level of data protection to that of the EU.
An adequacy decision is a formal decision the EU makes that recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal information as the EU does. It means that personal information can flow freely from the EEA within the scope of the adequacy decision.
Does the UK have adequacy decisions from the EU?
Yes. The UK has EU adequacy.
The European Commission has renewed its two original adequacy decisions for the UK. The amended decisions were adopted on 19 December 2025, and they cover transfers under the:
- EU General Data Protection Regulation (EU GDPR), the renewed EU adequacy decision for the UK under the GDPR and
- Law Enforcement Directive (LED), the renewed EU adequacy decision for the UK under the LED
These decisions contain the European Commission’s detailed assessment of the UK’s laws and systems for protecting personal information, as well as the legislation that says the UK’s level of protection is adequate.
The decisions apply to any personal information transferred from the EEA to the whole of the UK.
Both adequacy decisions last until 27 December 2031.
The European Commission monitors developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection.
What does the EU GDPR adequacy decision for the UK say?
The renewed EU adequacy decision for the UK under the GDPR says that the UK provides adequate protection for personal information transferred from the EEA to the UK.
The amended adequacy decision is a full adequacy finding. This means that organisations in the EEA can send personal information to the UK under the EU GDPR without needing to:
- put appropriate safeguards in place; or
- rely on a derogation (we call this an ‘exception’ in our guidance).
Therefore, your UK business or organisation can freely receive personal information from the EEA.
The original EU GDPR adequacy decision (from 2021) didn’t cover all personal information transferred from the EEA to the UK. It didn’t cover personal information:
- for the purposes of immigration control; or
- where the UK immigration exemption in the Data Protection Act 2018 (DPA) applied.
If you previously received this type of personal information from the EEA, it was likely sent under appropriate safeguards (not adequacy) under the EU GDPR.
What does the LED adequacy decision for the UK say?
The renewed EU adequacy decision for the UK under the LED says that the UK provides adequate protection for personal information transferred from EU competent authorities to UK competent authorities responsible for:
- the prevention, investigation, detection or prosecution of criminal offences; or
- the execution of criminal penalties.
If you want to further transfer personal information received from an EU competent authority under part 3 of the DPA, there are additional obligations. See our separate guidance on international transfers in our Guide to law enforcement processing.
What can we do to help us navigate the UK and EU data protection regimes?
We can only provide guidance on the UK data protection laws under our regulatory responsibilities. But we understand that UK organisations may need to navigate both the UK and EU data protection regimes.
The EU GDPR may apply to you if:
- you operate in the EEA;
- offer goods or services to people in the EEA; or
- monitor the behaviour of people in the EEA.
We can’t provide specific guidance on the EU GDPR. If you think the EU GDPR applies to your processing, you need to refer to the EU GDPR and guidance from the EU supervisory authorities or European Data Protection Board (EDPB).
If you’re operating across the UK and EU data protection regimes, remember the following:
- Map your data flows so you’re clear about which data protection regime applies to which transfers.
- The UK government has made, adequacy regulations that apply to transferring personal information to organisations in each of the EEA countries and the EU has the EU GDPR adequacy decision for the UK. When your restricted transfer is covered by adequacy, it is the most efficient way to make the transfer. This is because information can flow freely without you needing to put appropriate safeguards (or an exception) in place.
- If you’re using the European Commission’s standard contractual clauses (SCCs) for restricted transfers under EU GDPR, you could use our UK Addendum to enable you to rely on the EU SCCs for your restricted transfers under the UK GDPR.
- You may have already completed a transfer impact assessment (TIA) for article 46 appropriate safeguards under the EU GDPR. If so, you could use this to inform your transfer risk assessment (TRA) where the UK GDPR applies. See our guidance on TRAs and our TRA tool.
- If you already have an approved EU binding corporate rule (BCR), you could use our UK BCR Addendum to apply for a UK BCR.
Example
A hospital in Ireland (in the EEA) provides specialised health services to people in Northern Ireland (part of the UK).
A health trust based in Northern Ireland refers its patients to the hospital in Ireland for these specialised health services.
The hospital in Ireland receives the referrals and invites these patients for diagnostic appointments and treatment. It then updates the health trust on the outcome of the appointments and treatment.
This involves the health trust in Northern Ireland and the hospital in Ireland sharing (sending and receiving) personal information about people in Northern Ireland.
When the health trust in Northern Ireland sends personal information to the hospital in Ireland, this is a restricted transfer under the UK GDPR. Our ‘three step test’ for a restricted transfer is met:
Step one: The UK GDPR applies to the health trust’s processing;
Step two: The health trust initiates the transfer of personal information outside the UK; and
Step three: The health trust and the hospital are separate legal entities.
Therefore, the UK GDPR transfer rules apply. The health trust could rely on UK adequacy regulations for Ireland to make the transfer.
When the hospital sends personal information to the health trust in Northern Ireland, the EU GDPR applies as the hospital is located in the EEA. Under the EU GDPR, this is a transfer to a ‘third country’.
The hospital may rely on the EU GDPR adequacy decision for the UK to send the outcomes of the patient referrals to the health trust based in Northern Ireland.
Adequacy is relied on for both transfers, but they are made under two different data protection regimes.
Example
A Belfast holiday company offers holidays to customers in Northern Ireland (part of the UK) and Ireland (in the EEA). As it targets UK and EU customers both the EU GDPR and UK GDPR apply.
The holiday company uses a processor in Dublin (in Ireland) to carry out marketing on its behalf.
It carries out a data flow mapping exercise to see how the respective data protection regimes apply to its marketing campaign.
The holiday company decides to rely on adequacy for restricted transfers between itself and its processor, and so personal information can flow freely. It doesn’t need to consider appropriate safeguards or an exception.
The Belfast holiday company has a parent company based in Australia. They are separate legal entities. The holiday company uses the parent company’s analytical services to assist in its marketing campaign and sends customer files (from UK and Ireland customers) to its parent company.
The Belfast holiday company extends its data flow mapping exercise to cover the analytics processing.
When the holiday company sends personal information about Ireland (EU) customers to its parent company in Australia, this is a transfer to a ‘third country’ under the EU GDPR.
When the holiday company sends personal information about customers from Northern Ireland (UK) and Ireland (EU), this is a restricted transfer and the UK GDPR transfer rules apply.
There is no EU GDPR adequacy decision or UK adequacy regulations in place for Australia.
The holiday company chooses to use EU standard contractual clauses (SCCs) under the EU GDPR for transfers about its Ireland (EU) customers’ personal information to its parent company in Australia. It also completes a TIA.
For compliance with the UK GDPR, it could use our International data transfer addendum. It also could use the TIA it completed for EU personal information to inform its TRA.
Do we need a European representative?
If you’re a UK organisation, you may need to comply with the EU GDPR if you:
- are based in the UK; and
- offer goods or services to people in the EEA, or
- monitor the behaviour of people in the EEA.
If you don’t have a base inside the EEA, the EU GDPR requires you to appoint a representative in the EEA in most circumstances. The role of a representative is to act on your behalf regarding your EU GDPR compliance and liaising with any supervisory authorities or people whose personal information you are processing.
This representative needs to be set up in an EEA country where some of the people whose personal information you’re processing under EU GDPR are located.
Your representative may be a person, company or organisation established in the EEA (eg a law firm, consultancy or private company). They need to be able to represent you regarding your obligations under the EU GDPR.
If you want an easy way to appoint a representative, you may do this under a simple service contract.
You need to give details of your representative to people based in the EEA whose personal information you are processing. You may do this by including the details in:
- your privacy notice; or
- the upfront information you give people when you collect their personal information.
You also need to make the details of your representative easily accessible to supervisory authorities, for example, by publishing their contact information on your website.
Having a representative doesn’t affect your own responsibility or liability under the EU GDPR.
The EDPB has published more information on appointing a representative under the EU GDPR.
Example
A UK law firm doesn’t have offices in any EEA countries but has a regular client base in Sweden and Norway (only).
The firm must appoint a European representative to act as its direct contact for people whose personal information is processed and for the EEA supervisory authorities (as required by the EU GDPR).
This European representative may be based in Sweden or Norway, but not in any other EEA state.
The firm decides to appoint its representative in Norway. It includes the name of its European representative in its privacy notice. It doesn’t need to inform the supervisory authority in Norway (or Sweden) but makes sure the contact details are accessible by publishing them on their website.
Do we need a UK representative?
You must comply with UK GDPR and appoint a representative in the UK if:
- you’re based outside the UK; and
- you don’t have a branch, office or other establishment in the UK, but you:
- offer goods or services to individuals in the UK; or
- monitor the behaviour of individuals in the UK.
You don’t need to appoint a representative if:
- you’re a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
You must authorise the representative, in writing, to:
- act on your behalf regarding your UK GDPR compliance; and
- liaise with the ICO and the people whose information you’re processing.
Your representative may be a person, company or organisation established in the UK (eg a law firm, consultancy or private company). They must be able to represent you for your obligations under the UK GDPR.
You must appoint your representative in writing, and you should set out the terms of your relationship with them.
If you want an easy way to appoint a representative, you could do so under a simple service contract.
You should give details of your representative to people in the UK whose personal information you’re processing. You could do this by including the details in:
- your privacy notice; or
- the upfront information you give people when you collect their personal information.
You must also make the details of your representative easily accessible to us, as the supervisory authority. For example, you could publish your representative’s contact information on your website.
Having a representative doesn’t affect your own responsibility or liability under the UK GDPR. If you’re not sure about any part of appointing a representative, you could take independent legal advice.
Example
A sales firm based in the Republic of Ireland doesn’t have offices in the UK but has a regular client base in the UK.
The firm must appoint a UK representative to act as its direct contact for people whose personal information is being processed and for the ICO.
The firm informs its customers of its UK representative when it collects their personal information at the point of sale. The firm also makes sure the details are easily accessible on its website.