A brief guide to international transfers
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates - last updated 15 January 2026
15 January 2026 – This new guide provides a brief introduction to international transfers, including checklists to help you identify and make a 'restricted transfer'.
About this guidance
This brief guidance provides an overview of:
- when the rules on international transfers apply; and
- how to make an international transfer.
We set out checklists to help you work through what you need to do.
This is only a brief introduction to international transfers. For more information, please see our detailed guidance on international transfers.
You should read this guidance in conjunction with our other guidance. For broader guidance on data protection compliance, see our Guide to data protection.
If you’re processing information for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), please read our separate guidance on international transfers in our Guide to law enforcement processing.
At a glance
- The UK GDPR primarily applies to organisations located in the United Kingdom.
- There are many reasons why you may need to send (or make accessible) personal information to other organisations located outside of the UK.
- People risk losing the protection of UK data protection law if their personal information is sent (or made accessible) outside the UK.
- On that basis, the UK GDPR contains rules about transfers of personal information to separate organisations located outside the UK.
- These rules apply to organisations, including sole traders and self-employed individuals that handle personal information.
- The transfer rules apply when you send (or make accessible) personal information and all the following conditions are met:
- the UK GDPR applies to your processing of the personal information you are sending;
- you’re initiating the transfer of personal information to an organisation outside of the UK; and
- the organisation receiving the information is a separate legal entity to you.
- We refer to a transfer of personal information in these circumstances as a ‘restricted transfer’.
- Every restricted transfer must be covered by one of the following transfer mechanisms:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception (called a “derogation” in the legislation).
- If you initiate a restricted transfer, you’re responsible for complying with the transfer rules.
- Even if you’re not responsible for complying with the transfer rules, you must comply with your other obligations or responsibilities under UK GDPR in the context of the international transfer.
Restricted transfers checklist
Deciding if it’s a restricted transfer
☐ We map out the contracts and flows of personal information between us and the organisations outside the UK that we’re transferring information to.
☐ We use the ‘three step test’ to check whether we are making a restricted transfer:
- We check the UK GDPR applies to the processing of the personal information we’re sending (if the UK GDPR doesn’t apply, it’s not a restricted transfer).
- We check we’re the organisation initiating the transfer of personal information to an organisation located outside the UK.
- We check the organisation receiving the information is a separate legal entity to us.
☐ If we determine we’re responsible for initiating a restricted transfer, we're satisfied that the transfer is necessary to achieve our aims.
Making a restricted transfer
☐ We check if there are UK adequacy regulations in place for the destination country.
☐ If there are no adequacy regulations in place, we consider using appropriate safeguards:
- We choose our safeguard, for example:
- the International data transfer agreement (IDTA);
- the International data transfer addendum (the Addendum); or
- UK binding corporate rules (BCRs).
- We complete a transfer risk assessment (TRA) to make sure that the standard of protection for people’s information is not materially lower after we transfer it.
☐ If we can’t use appropriate safeguards (including if our TRA identifies information that’s not sufficiently protected), we consider whether an exception applies.
☐ We understand that, to rely on an exception, we must generally demonstrate that it is necessary and proportionate to do so.
☐ We know that we must not make a restricted transfer if:
- there are no UK adequacy regulations in place; and
- we determine that we cannot use appropriate safeguards or rely on an exception.
Fulfilling our responsibilities under UK GDPR
☐ We understand that, if we initiate a transfer to a separate organisation outside the UK, we’re responsible for complying with the transfer rules.
☐ We understand the transfer rules are only one element of our wider compliance requirements under UK GDPR.
☐ Even if we’re not responsible for complying with the transfer rules, we know that we must comply with our other obligations or responsibilities under UK GDPR in the context of the international transfer.
In brief
- What is a restricted transfer?
- Are we making a restricted transfer?
- Who is responsible for complying with the rules on restricted transfers?
- How do we make a restricted transfer?
- What practical steps should we take?
What is a restricted transfer?
People risk losing the protection of UK data protection law if their personal information is sent (or made accessible) outside the UK.
As such, the UK GDPR contains rules about transfers of personal information to separate organisations located outside the UK.
We refer to a transfer of personal information to a separate organisation located outside the UK under these rules as a ‘restricted transfer’. We use ‘transfer’ to refer to both:
- sending personal information to a separate organisation outside the UK; and
- making it accessible to a separate organisation outside the UK.
The rules apply to all restricted transfers, even small, infrequent ones.
The rules apply to all organisations that handle personal information, including sole traders and self-employed individuals.
Are we making a restricted transfer?
Consider our ‘three step test’ to help you decide if you’re making a restricted transfer.
You should ask yourself:
- Step 1: Does the UK GDPR apply to our processing of the personal information we’re transferring?
- Step 2: Are we initiating the transfer of personal information to an organisation located outside the UK?
- Step 3: Is the organisation receiving the personal information a separate legal entity to us?
If you answer ‘yes’ to all three of these questions, you’re making a restricted transfer and the rules apply.
You’re not making a restricted transfer if you’re a UK processor transferring personal information to your overseas controller of that same information. In this situation, your controller is initiating the transfer, because they are instructing you to transfer the information. This is part of step two.
Example
You're a UK-based business and you use an organisation in India to support your customer services function. You do not send the organisation any personal information. Instead, you allow them access to the personal information you hold on your systems.
Step 1: The UK GDPR applies to the personal information you are making accessible to the organisation in India. This is because you’re a UK-based business.
Step 2: The organisation you contract with is based in India, which is outside the UK. It is set out in your contract with the Indian organisation that you agree to provide them with access to the personal information. This means that you’re initiating the transfer.
Step 3: The organisation in India accessing the personal information is a separate legal entity to you.
The three steps have been met. Therefore, you’re making a restricted transfer.
Who is responsible for complying with the rules on restricted transfers?
If your organisation initiates a restricted transfer, you’re responsible for complying with the transfer rules.
This is the case whether you’re located in the UK or not, as long as the UK GDPR applies to your processing activity.
This also applies wherever your organisation is in the processing contractual chain (ie regardless of whether you’re a controller, a processor or a sub-processor).
When you’re responsible, you must make sure the restricted transfer is covered by:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception (called a “derogation” in the legislation).
This is in addition to your other obligations or responsibilities under the UK GDPR.
Example
A UK-based organisation that specialises in international recruitment sends personal information of prospective employees to a client. The client is a separate organisation located in Japan. The UK-based recruitment organisation (acting as a controller) is responsible for complying with the transfer rules because it initiates the restricted transfer.
The same UK recruitment organisation later outsources its processing of prospective employee applications to you, a separate UK service company. It asks you to send the personal information directly to its Japanese client. In this situation, a restricted transfer takes place between the UK recruitment organisation (your controller) and the organisation in Japan. Your controller is responsible for complying with the transfer rules – even if the information flows from you – because the controller initiates the transfer.
Even if you’re not responsible for the transfer, you must comply with your other obligations or responsibilities under UK GDPR.
How do we make a restricted transfer?
You must make sure that your restricted transfer is covered by:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception.
When your transfer is covered by adequacy regulations, adequacy is the most efficient way to make the restricted transfer. This is because information can flow freely from the UK without you needing to put in place any additional safeguard. However, you should still make checks on any organisation you share personal information with under your other UK GDPR obligations.
If you cannot, or choose not to, rely on adequacy, you could use one of the safeguards listed in article 46 of the UK GDPR. These ensure that both you and the receiver of the restricted transfer are legally required to protect people’s personal information. You could, for example, use our International data transfer agreement (IDTA).
If you rely on a safeguard, you must also ensure that you have completed a transfer risk assessment (TRA).
If there are no UK adequacy regulations or appropriate safeguards that cover your restricted transfer, you must ensure that one of the exceptions set out in article 49 of the UK GDPR applies.
If you can’t identify an appropriate exception, you must not make the transfer.
What practical steps can we take?
You should take practical steps to help you understand:
- whether you need to make a restricted transfer; and
- how to apply the rules to your circumstances.
To help you do this, you could:
- consider the factual situation and ensure you understand, for example:
- which separate legal entities are involved; and
- what capacity each party is acting in (ie as a controller, joint controller or a processor); and
- map out the contracts and flow of personal information between you and the organisations located outside the UK that you’re transferring personal information to.