Using personal data in your business or other organisation


Last updated 10 March 2023

This information is for UK businesses and other organisations that:

  • receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
  • operate in the EEA

You can find further information on the Information Commissioner's Office (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.

What personal data is

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Receiving personal data from the EU/EEA and third countries which have EU adequacy decisions

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK.

All of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK. Find further information on the ICO's website.

Personal data flows from the UK

There are no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.

For international data transfers from the UK to other jurisdictions, see further information on the ICO's website.

Data protection and GDPR

The UK's data protection regime is set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner is the UK's independent supervisory authority on data protection.

First published 5 October 2020