UK General Data Protection Regulation (UK GDPR)
Rules on restricted transfers of personal data
If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'.
There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer or how often you carry them out.
Are you making a restricted transfer?
You are making a restricted transfer of personal data if:
- the UK GDPR applies to your processing of the personal data you are transferring
- you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
- the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group
Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.
Rules on transferring personal data from the UK
Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are now subject to transfer rules under the UK regime. These UK transfer rules currently broadly mirror the EU General Data Protection Regulation (EU GDPR) rules.
To comply with rules on transferring data outwards from the UK, you must consider the following factors:
- Is the restricted transfer covered by adequacy regulations?
- Is the restricted transfer covered by appropriate safeguards?
- Is the restricted transfer covered by an exception?
You may make a restricted transfer if you are sending the data to a receiver in a country, territory or an organisation covered by UK adequacy regulations.
Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA.
The UK also has:
- an adequacy decision for Gibraltar
- an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force at 31 December 2020)
- partial findings of adequacy about Japan and Canada
If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.
The safeguards include:
- a legal instrument between public authorities or bodies
- Binding Corporate Rules (BCRs)
- Standard Contractual Clauses (SCCs)
- an approved code of conduct
- certification under an approved certification scheme
- contractual clauses authorised by the ICO
- administrative arrangements between public authorities or bodies
BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer is to enter into standard contractual clauses with the sender of the personal data.
Exceptions on restricted transfers
If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.
Specific exemptions, or derogations, for data transfers apply when:
- the data subject explicitly consents to the transfer (and is aware of the risks)
- you have a contract with the individual and:
- the transfer is needed for the performance of that contract
- the contract benefits another individual whose data is being transferred
- the transfer is deemed necessary for reasons of public interest
- the transfer is necessary in relation to a legal claim
- the transfer is necessary to protect the data subject's vital interests (eg their life)
- the transfer is made from a public register created under UK law
- the transfer is a one-off and necessary for your competing legitimate interests
If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.
Rules on transferring personal data from the EEA into the UK
Currently, data can still flow freely from the EEA into the UK because the EU has agreed to delay transfer restrictions for at least four months. This is known as the 'bridge' and may be extended to six months.
During this period, the European Commission (EC) will be considering whether to grant an adequacy decision for the UK. On 19 February 2021, the EC has published its draft UK adequacy decisions. If adopted, these decisions will allow for continued free flow of personal data from the EU into the UK.
If the 'bridge' ends without the EC adopting an adequacy decision for the UK, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions.
Under the EU GDPR, an EEA controller or processor is only be able to make a restricted transfer of personal data to if:
- the country they are sending data to is covered by an EC adequacy decision
- one of the EU GDPR appropriate safeguards is in place
- one of the list of EU GDPR exceptions applies
If the 'bridge' ends without the adequacy decision for the UK, and your business receives personal data from the EEA, you will need to rely on one of the other mechanisms in order to continue lawfully transferring personal data from the EU into the UK.
You should consider the relevant provisions and put in place alternative safeguards by the end of April 2021, if you haven't done so already. For most businesses, the most convenient safeguard will be the use of standard contractual clauses.
For current information, see using personal data in your business or other organisation from 1 January 2021.
This guide does not constitute legal advice and is provided for general information purposes only.
ICO Helpline0303 123 1113