Due to the various mechanisms and regulations surrounding international data transfers it can be difficult to determine exactly what is required and how UK entities can transfer data abroad whilst complying with data protection law.
This article sets out some of the key points to consider when data is being transferred internationally:
1. Is this a ‘restricted transfer’?
Check whether the contemplated transfer will be classed as a ‘restricted transfer’ under data protection law. A restricted transfer will occur if the personal data you are processing is covered by the retained EU General Data Protection Regulation (UK GDPR) and is to be either transferred or made accessible to a separate (legally distinct) controller or processor who is located outside the UK.
Restricted transfers include the transfer of personal data to an overseas company within your corporate group, but do not include the transfer of personal data to a receiver who is employed by you or by the same employer as you.
2. Identify your safeguards
Ensure that you can make a restricted transfer in compliance with the law. Consider the following options:
- UK adequacy decision
If the receiver is located in a territory which is covered by a UK adequacy decision, a restricted transfer can be made, subject to certain requirements. The UK has currently granted adequacy decisions for all European Economic Area (EEA) countries, and certain other countries and territories outside the EEA. For more details of countries which have UK adequacy regulations, see the information under question one of the ICO’s guidance on international transfers. The most recent adequacy decision by the UK took place in September 2023 for an extension to the EU-US Data Privacy Framework (DPF) (known as a “Data Bridge”). Such transfers will be deemed to meet the test of adequacy for the purposes of UK GDPR and the Data Protection Act 2018, as long as the US receiver is certified under the data privacy framework. You can find out more about transferring data to the US under this Data Bridge in our article here.
- Appropriate safeguards
If no adequacy decision applies, you may be able to make a restricted transfer using appropriate safeguards under Article 46 of the UK GDPR. These safeguards include the use of standard data protection clauses, such as the International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (Addendum), which can be incorporated into your contracts with the receiver. You must also complete a transfer risk assessment, which you can find further guidance on in this ICO note.
- Emergency situations
You may be able to make a restricted transfer if it is necessary due to an emergency situation, including serious health risks, or if the person that the data relates to cannot give their consent.
- Derogations
If none of the elements above apply to your prospective transfer, there are certain exceptions that may be relied upon to validate the transfer.
3. Review your past transfer agreements
Until 21 March this year you can still rely on EU standard contractual clauses (SCCs) to transfer data to receivers outside of the EEA provided that you are using the “new” SCCs (introduced in the EU in June 2021) and the activities of the receiver are not subject to the UK GDPR. The “old” SCCs were phased out on 22 September 2022 and can no longer be used.
It is important to note that the new SCCs do not apply to transfers which are subject to UK GDPR. For these transfers, you must either add the Addendum to your SCCs or use the IDTA.
If your organisation has transfer agreements made prior to 22 September 2022, these should be reviewed and replaced (before 21 March) by either the IDTA or the new SCCs plus the Addendum.
If you have any questions about international transfers of personal data, or would like assistance in putting arrangements in place, please contact the Birketts Data Protection Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2024.