Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

1. Can we still transfer data to and from Europe?

Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU has agreed to delay transfer restrictions from the EEA to the UK for at least another four months, which can be extended to six months (known as the bridge). This enables personal data to flow freely from the European Economic Area (EEA) to the UK until either adequacy decisions are adopted, or the bridge ends.

Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK.

If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.

For more information, read  Data Protection after the end of the transition period and our guidance on international transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

2. How do you define "data" for the purposes of a transfer?

A restricted transfer is a transfer of personal data to another country outside the UK or EU. Personal data is any information that relates to an identified or identifiable person. This includes where you can, directly or indirectly, identify the person.

Read our further guidance on what amounts to personal data.

3. If a UK company is using an EU processor, would the “return” of UK data back to the UK controller be a restricted transfer?

As the processor is in the EU, they need to comply with the EU GDPR. However, the EU has agreed that there will be no restrictions on data flows into the UK for at least four months after 1 January 2021, while adequacy negotiations continue. During this bridge period, this is not a restricted transfer.

Once the bridge ends, the UK is a third country, so returning data to the UK from the EU may be a restricted transfer. As the ICO is not the regulator for this data flow, we can’t provide definitive advice and you may need to check with local EU regulators for advice on how to comply with EU law.

The EDPB have recently published a statement on the end of the Brexit transition period.

4. After the end of the bridge can EEA customers continue to send their data to UK-based organisations?

Yes. If someone is sending you their own personal data, or they are sending you someone else’s data for purely personal, family or household reasons, this would not be a restricted transfer. This is because the processing by the sender for these reasons falls outside the GDPR’s scope. In these circumstances, you would not need to implement an appropriate safeguard. However, you would still be subject to the data protection legislation once you receive that personal data and begin processing it yourself. For example, you should still provide the necessary privacy information and store the personal data in line with the GDPR principles.

You can read more on what counts as a restricted transfer on our international transfers page.

5. We’re based in the UK, but have an employee who works abroad remotely. Do we need to put an appropriate safeguard in place?

No. If you are sending personal data to someone you or your company employ, this is not a restricted transfer. The transfer restrictions in the UK GDPR only apply if you are sending personal data outside your organisation.

However, you must still assess any potential risks to the personal data as a result of sharing it outside the UK and ensure you have adequate security measures in place to protect the data.

You can read more on what counts as a restricted transfer on our international transfers page.