Data protection and the EU in detail
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
On 19 December 2025 the European Commission renewed the two adequacy decisions for the UK:
This means that personal information can continue to flow from the EU to the UK.
Under the renewed GDPR decision, personal information for the purposes of UK immigration control, or which otherwise falls within the scope of the immigration exemption in the DPA, is now included.
We are updating our guidance for receiving personal information from the EEA.
On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards. The adequacy decisions do not cover data transferred to the UK for the purposes of immigration control, or where the UK immigration exemption applies. For this kind of data, different rules apply and the EEA sender needs to put other transfer safeguards in place.
Does this guidance apply to us?
This guidance explains data protection now the UK has left the EU in more detail. Read it if you have detailed questions not answered in our other resources, or if you need a deeper understanding of data protection law and how it has changed.
It is particularly relevant to UK businesses and organisations that target European customers or operate inside the European Economic Area (EEA).
This guidance is aimed primarily at DPOs and those with specific data protection responsibilities. It is not aimed at individuals and, if needed, we will provide guidance for individuals in due course. If you haven’t yet read our in brief page on data protection and the EU, you should read that first.