A guide to international transfers

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Latest updates – last updated 15 January 2026

15 January 2026 – We’ve broken down the content of our previous Guide to international transfers into specific detailed guides, including this detailed guide to international transfers. We’ve expanded our guidance on what is and isn’t a restricted transfer, introducing a ‘three step test’ and providing more examples. Our updated guidance includes new content to support organisations with their obligations, including information about who is responsible for the transfer rules and key responsibilities in the context of international transfers. We’ve also added some practical steps you can take to help you comply.

At a glance

This guidance discusses international transfers in detail. It's aimed at Data Protection Officers (DPOs) and those with specific data protection responsibilities.

It provides guidance on what an international transfer is and when the rules on international transfers apply. It also sets out what organisations need to do to comply with the legislation.

In this guidance, we provide some examples to help illustrate how the legislation might apply in practice. However, we don't address every aspect of regulatory compliance that applies to you.

You should read this guidance in conjunction with our other guidance on international transfers. For more information on data protection compliance, see our Guide to data protection.

If you’re processing information for law enforcement purposes, under part 3 of the Data Protection Act 2018 (DPA), please read our separate guidance on international transfers in our Guide to law enforcement processing.

A guide to international transfers

At a glance

Contents