I sefydliadau
UK GDPR guidance and resources
International transfers
A guide to international transfers
How do we comply with the transfer rules if we're initiating the restricted transfer?

How do we comply with the transfer rules if we're initiating the restricted transfer?

Contents

In detail

Are we responsible for complying with transfer rules?
How do we make a restricted transfer?
What are adequacy regulations?
What are appropriate safeguards?
What are the exceptions?

Are we responsible for complying with transfer rules?

Remember, you’re only responsible for complying with the UK GDPR transfer rules if your organisation initiates restricted transfers. Step two: Are we initiating the transfer of personal information to an organisation outside the UK?

Even if you’re not responsible for the transfer, you have other obligations or responsibilities under the UK GDPR. For further information, see What are our other key UK GDPR obligations in the context of international transfers?

How do we make a restricted transfer?

You must ensure that the restricted transfer is covered by:

UK adequacy regulations;
appropriate safeguards; or
an exception (called a “derogation” in the legislation).

What are adequacy regulations?

UK adequacy regulations set out which countries (or territories or sectors in a country) or international organisations the UK government has assessed as having a level of data protection that is “not materially lower” than UK law.

This standard was previously referred to by us as ‘sufficiently similar’. In the EU, this is referred to as “essentially equivalent”.

The principle is the same: you must ensure that the standard of protection for people is not undermined after you transfer their personal information.

You can make a restricted transfer if the receiver is:

located in a third country or territory or sector covered by UK adequacy regulations; or
an international organisation covered by UK adequacy regulations.

When your restricted transfer is covered by adequacy regulations, this is the most efficient way to make it. This is because information can flow freely from the UK without you needing to put in place appropriate safeguards or rely on an exception.

You can read more about this in our separate guidance on adequacy regulations .

You must also ensure that you comply with the other requirements under the UK GDPR. See What are our other key UK GDPR obligations in the context of international transfers?

What are appropriate safeguards?

Article 46 of the UK GDPR sets out a list of safeguards. Each safeguard is designed to ensure that both you, as the sender, and the receiver are legally required to protect people’s personal information.

The safeguards are:

a legally binding and enforceable instrument between a public body and another public body, an international organisation, or an organisation carrying out public functions;
binding corporate rules (BCRs);
standard data protection clauses – the ICO’s International data transfer agreement (IDTA) and the International data transfer addendum (the Addendum);
a code of conduct approved by the ICO;
a certification under a certification scheme approved by the ICO;
contractual clauses authorised by the ICO; and
administrative arrangements, authorised by the ICO, between a public body and another public body, an international organisation, or an organisation carrying out public functions.

If you plan to use one of these safeguards, you must first complete a transfer risk assessment (TRA). Completing a TRA helps you ensure that the standard of protection for people’s information is “not materially lower” after you transfer it.

With the introduction of the Data (Use and Access) Act (DUAA), a TRA is now referred to in the legislation as a “data protection test”.

To meet the data protection test, you must decide, acting reasonably and proportionately, that the standard of protection for people’s information is not materially lower than in the UK after you transfer that information.

Your chosen safeguard becomes “appropriate safeguards” when:

you’ve completed a TRA;
you’ve taken any extra technical and organisational steps and put in place any extra protections identified in your TRA; and
the safeguard, including any extra contractual clauses identified in your TRA, has been executed so that it’s legally binding on the relevant organisations.

If you carried out a TRA following our guidance before the DUAA came into effect and you concluded that the level of protection was sufficient, you’ve met the data protection test. The principle remains the same: you must ensure that the standard of protection for people is not undermined after you transfer their personal information.

We still use the term ‘transfer risk assessment’ and TRA in our guidance, but we’ve updated our TRA guidance to match the new wording of the data protection test.

Please read our separate guid ance on appropriate safeguards and completing a transfer risk assessment for more information.

What are the exceptions?

If there are no UK adequacy regulations or appropriate safeguards that cover your restricted transfer, you must ensure that one of the exceptions set out in article 49 of the UK GDPR applies.

You can make a restricted transfer if one of the following exceptions applies:

you’ve obtained explicit consent for the transfer from the person the information is about;
the transfer is necessary to perform a contract with the person the information is about;
the transfer is necessary to conclude or perform a contract with a third party, and doing so benefits the person the information is about;
the transfer is necessary for important reasons of public interest recognised in UK law;
the transfer is necessary to establish, make or defend a legal claim;
the transfer is necessary to protect a someone’s vital interests (eg a medical emergency), and the person the information is about isn’t able to give their consent;
the disclosure is from a public register; or
the transfer is a one-off transfer necessary for your compelling legitimate interests.

If you can’t identify an appropriate exception, you must not make the restricted transfer.

If you’re making restricted transfers that are regular and predictable, or systematic, you’re less likely to be able to show that an exception is necessary and proportionate.

Please read our separate guidance on exceptions for more information.

Example

A UK travel agency offers holiday packages to Kenya. It works with a Kenyan excursion company to arrange outings while the customers are in the country. The UK travel agency has several bookings every year. It transfers its customers’ personal information to the Kenyan company on a regular basis.

The UK travel agency identifies that there are no UK adequacy regulations for Kenya. It considers using an exception but decides this isn’t proportionate given the regularity and volume of restricted transfers it wishes to make. It chooses to rely on a safeguard to make the restricted transfers.

It chooses the international data transfer agreement (IDTA) as its preferred safeguard. It also completes a transfer risk assessment (TRA) before making the restricted transfers to ensure the level of protection is not materially lower than in the UK after it transfers the information.

Once the IDTA is in place, the UK travel agency regularly reviews its TRA and IDTA to make sure that the level of protection for people’s information is not undermined after they transfer it.