UK General Data Protection Regulation (UK GDPR)

If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.

Are you making a restricted transfer?

You are making a restricted transfer of personal data if:

• the UK GDPR applies to your processing of the personal data you are transferring
• you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
• the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group

Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.

Rules on transferring personal data from the UK

Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:

• Is the restricted transfer covered by adequacy regulations?
• Is the restricted transfer covered by appropriate safeguards?
• Is the restricted transfer covered by an exception?

Adequacy decisions

You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.

Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.

The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:

• an adequacy decision for Gibraltar
• an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
• partial findings of adequacy about Japan and Canada

If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.

Appropriate safeguards

Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.

The safeguards include:

• a legal instrument between public authorities or bodies
• UK Binding Corporate Rules (UK BCRs)
• data protection clauses for restricted transfer
• an approved code of conduct
• certification under an approved certification scheme
• contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
• administrative arrangements between public authorities or bodies

UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.

You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.

Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.

Exceptions on restricted transfers

If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.

Specific exemptions, or derogations, for data transfers apply when:

• the data subject explicitly consents to the transfer (and is aware of the risks)
• you have a contract with the individual and:
  • the transfer is needed for the performance of that contract
  • the contract benefits another individual whose data is being transferred
• the transfer is deemed necessary for reasons of public interest
• the transfer is necessary in relation to a legal claim
• the transfer is necessary to protect the data subject's vital interests (eg their life)
• the transfer is made from a public register created under UK law
• the transfer is a one-off and necessary for your competing legitimate interests

If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.

Rules on transferring personal data from the EEA into the UK

Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:

• the country they are sending data to is covered by an EC adequacy decision
• one of the EU GDPR appropriate safeguards is in place
• one of the list of EU GDPR exceptions applies

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.