General Data Protection Regulation (GDPR)

International transfers of personal data


The General Data Protection Regulation (GDPR) restricts the transfer of personal data outside the European Union. The restrictions may affect a broad range of businesses including those using, for example, online IT services, cloud-based services, remote access services or global HR databases.

Important: The GDPR remains in force in the UK during the Brexit transition period, scheduled to end on 30 December 2020. Until then, personal data will be able to flow freely and unrestricted between the UK and the EU. The UK government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted after the transition period ends. However, from 1 January 2021, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK. See more on Brexit: Data protection and EU exit.

Conditions for cross-border transfers

Under current regulations, transfer of personal data into a non-EU country or territory is possible if:

  • the recipient's country is deemed to provide an adequate level of data protection - see GDPR adequate countries list
  • you put in place appropriate safeguards before exporting your data
  • standard contractual clauses apply - see more on model clauses
  • binding corporate rules (BCRs) apply and are approved - see more on BCRs
  • you adhere to approved industry codes of conduct and certification schemes
  • ad hoc safeguards apply
  • a specific derogation applies

In a no-deal Brexit scenario, UK businesses may need to rely on one of these mechanisms in order to continue lawfully transferring personal data from the EU into the UK. The flow of data from the UK into the EU is expected to remain unaffected.

Data transfer derogations

Specific exemptions, or derogations, for data transfers apply when:

  • the data subject explicitly consents to the transfer (and is aware of the risks)
  • the transfer is needed for the performance of a contract
  • the transfer is deemed necessary for reasons of public interest
  • the transfer is necessary in relation to a legal claim
  • the transfer is necessary to protect the data subject's vital interests (eg their life)
  • the transfer is made from a public register established by law in the European Union or a member state
  • the transfer is necessary for the 'legitimate interests' of the data controller

Find more information on international data transfers under the GDPR.

Problems accessing personal data from outside the UK

To mitigate against the possible cross-border transfer restrictions, you should:

  • consider the impact of Brexit on the flow of personal data in and out of your business
  • establish clear rules for data processing throughout the supply chain
  • carry out due diligence and negotiate compliant data sharing / processor agreements
  • incorporate EU model clauses if appropriate
  • identify appropriate safeguards that would allow you to continue transfer data across the EEA borders

Find ICO's data protection and Brexit resources to help you prepare for data compliance after Brexit.

Data processing contracts

Whether the transfer takes place within or outside Europe, the rules on sharing data with other organisations (eg suppliers) are stringent. This is also the case if you share data with processors.

Under the GDPR, data controllers can only work with data processors if they can provide sufficient guarantees that they meet the regulation's requirements.

The GDPR sets out specific terms that you must include in your contract with a data processer, if you give them access to personal data. These terms should ensure that the processor:

  • processes only the personal data on your documented instructions
  • gets your written consent before engaging any sub-processors
  • ensures that only authorised personnel (subject to confidentiality) can access the data
  • deletes or returns all personal data upon completion of the processing
  • takes all appropriate technical and organisational measures to ensure compliance with the GDPR obligations
  • makes available all information necessary to demonstrate compliance
  • cooperates fully with audits, inspections, and similar actions

You will have to take full responsibility for proper and secure handling of personal data. See more on contracts and also liabilities between controllers and processors.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.