What do we need to consider if we transfer people’s personal information outside the UK?

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Data protection law contains rules about transferring personal information to receivers located outside the UK. We refer to these as restricted transfers.

You must ensure that one of the following apply:

the transfer is covered by ‘adequacy regulations’. This means that the country you plan to send the information to has ‘adequate’ protection for people’s personal information;
there are appropriate safeguards in place. This means that if there are no UK adequacy regulations in place for that country, you must do an assessment to check that relevant UK GDPR protections are not undermined for people whose information is transferred; or
the transfer is covered by an exception.

Further reading

A guide to international transfers