Skip to main content
Hafan

Is the restricted transfer covered by adequacy regulations?

Contents

In detail

When can we rely on adequacy to make a restricted transfer?

Transfers of personal information to separate organisations outside the UK under UK GDPR are known as ‘restricted transfers’. You must not make restricted transfers unless certain conditions are met.

You can read more about what a restricted transfer is in our Guide to international transfers.

When you make a restricted transfer, you must ensure that the transfer is covered by:

  • UK adequacy regulations;
  • appropriate safeguards; or
  • an exception (called a “derogation” in the legislation).

If there are no UK adequacy regulations which cover your restricted transfer, you must ensure you use appropriate safeguards for the transfer or rely on an exception.

What is 'adequacy' and what are adequacy regulations?

The term ‘adequacy’ originated in the EU. It describes countries (or territories or sectors in a country) or international organisations which the European Commission has assessed as having an “essentially equivalent” level of data protection to that of the EU.

The term is similarly used in the UK to describe countries (or territories or sectors in a country) or international organisations, that the UK government has assessed as having a level of data protection that is “not materially lower” than provided for by UK law.

Prior to the Data (Use and Access) Act (DUAA), we referred to this standard as ‘sufficiently similar’.

Although the standard is referred to differently in EU and UK legislation, the principle is the same: the standard of protection provided by the third country for people whose information is transferred is not undermined.

UK adequacy regulations (also sometimes referred to as ‘data bridges’) set out which countries (or territories or sectors in a country) or international organisations the UK government has deemed have an adequate data protection regime to protect personal information.

You can make a restricted transfer if the receiver is:

  • located in a country, or sector or territory in a country, covered by UK adequacy regulations; or
  • an international organisation covered by UK adequacy regulations.

When your transfer is covered by adequacy regulations, adequacy is the most efficient way to make the restricted transfer. This is because information can flow freely from the UK without you needing to put appropriate safeguards in place.

You don’t have to rely on adequacy regulations to make the restricted transfer. You can still use appropriate safeguards if there is a business requirement to do so.

There is separate guidance on international transfers in our Guide to law enforcement processing about adequacy regulations that apply when processing for a law enforcement purpose.

What is the difference between full and partial adequacy regulations?

Adequacy regulations create:

  • 'full adequacy’ for a specified country or international organisation; or 
  • ‘partial adequacy’ for a territory, or sector within a specified country.

Full adequacy regulations cover all restricted transfers of personal information to a specified country or international organisation. 

Partial adequacy regulations only cover certain restricted transfers of personal information to a specified country. It may only cover restricted transfers:

  • to specific types of organisation or sectors;
  • of specific types of personal information;
  • to specific regions or territories of a specified country; or
  • if specific conditions or circumstances apply. 

Before relying on partial adequacy regulations, you must check the scope of the adequacy regulations and ensure that they cover the personal information you’re transferring.

We have indicated below where partial adequacy applies and provided further information to help you check.

What countries, territories, sectors or international organisations are covered by adequacy regulations?

Current UK adequacy regulations cover the following countries, territories, sectors and international organisations:

  • All the countries in the European Economic Area (EEA) have full adequacy. These are:
    • The EU member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
    • The EEA states: Iceland, Norway and Liechtenstein.
  • EU or EEA institutions, bodies, offices or agencies.
  • The countries, territories, sectors and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020 or transitioned into UK law when the UK left the EU, or both:
    • Full adequacy: Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
    • Partial adequacy:

Canada:

      • Only applies to restricted transfers if the information is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA only applies to private sector organisations that collect, use or disclose personal information in the course of commercial activities. See EU adequacy decision - Canadian PIPEDA.
      • If you’re transferring information to Canada and are intending to rely on adequacy regulations, you must check that Canada's PIPEDA law will apply to the personal information you’re transferring.
      • You can ask the organisation you’re contracting with to confirm this. If you’re in doubt, you may want to get your own legal advice. If you remain unsure, you should not rely on adequacy regulations to make the restricted transfer.

Japan:

      • Only applies to restricted transfers to private sector organisations falling within the scope of Japan’s Act on the Protection of Personal Information (APPI) by Personal information handling business operators (PIHBOs) within the meaning of the APPI. See EU adequacy decision - Japan (article 1(2) sets out the categories of recipient not covered by the decision). If you’re sending information to Japan and are intending to rely on adequacy, you should check that the recipient is covered by adequacy.
      • If you’re transferring information to Japan and are intending to rely on adequacy regulations, you must check that the recipient is a PIHBO and APPI will apply to the personal information you’re transferring.
      • You can ask the organisation you’re contracting with to confirm this. If you’re in doubt, you may want to get your own legal advice. If you remain unsure, you should not rely on adequacy to make the restricted transfer.

Do we need to complete a transfer risk assessment when making restricted transfers under adequacy regulations?

No. Adequacy regulations mean the UK government has assessed the country (or territory or sector in a country) or international organisation as providing an adequate level of data protection. You don’t need to complete a transfer risk assessment (TRA) or put appropriate safeguards in place if you rely on the adequacy regulations for the restricted transfer.

However, you should still make reasonable and proportionate checks that the recipient will comply with its data protection obligations under local data protection laws.

What if there are no adequacy regulations covering the restricted transfer?

If there are no UK adequacy regulations which cover your restricted transfer, you must ensure it is covered by appropriate safeguards or rely on an exception. 

Example

A UK government department is sending employees to attend a conference in Canada which is being hosted by the Canadian government in Ottawa. The UK organisation sends information about its employees who will be attending to:

  • the department of the Canadian government which is hosting the event; and
  • Hotel Ottawa where the employees are staying.

These are restricted transfers.

The adequacy regulations for Canada only apply to transfers if the information is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA only applies to private sector organisations that collect, use or disclose personal information in the course of commercial activities.

The UK government department cannot rely on adequacy regulations for the the restricted transfer to the Canadian government, as it isn’t in scope of the adequacy regulations. It must consider using appropriate safeguards or rely on an exception.

The UK government department can rely on adequacy regulations for the restricted transfer to Hotel Ottawa, as PIPEDA applies to the hotel’s processing of this information.

Example

A UK business (controller) has a data processor located in Australia who provides IT support services. The Australian company accesses the UK business’ servers, which are based in the UK.

Allowing the Australian company to access information held in the UK is a restricted transfer.

The UK business cannot rely on adequacy as there are no UK adequacy regulations in place for Australia. It must consider using appropriate safeguards or rely on an exception.

Further reading – ICO guidance

What are the roles of the UK government and the ICO?

The UK government is responsible for making adequacy regulations and for monitoring developments in countries covered by adequacy regulations, that could affect decisions to maintain, amend or revoke such adequacy regulations.

It published its approach to international data transfers in 2021.

Our role in assisting the Department for Science, Innovation and Technology (DSIT) with this work is set out in a memorandum of understanding. (DSIT was previously the Department for Digital, Culture, Media and Sport).

We expect any future adequacy regulations will be finalised in accordance with this Memorandum and they’ll be issued by the UK government. We publish an opinion on each new adequacy assessment the government has undertaken. We intend to continue to do so.

We’ll keep the list of countries, sectors, territories or international organisations covered by adequacy regulations up to date in this guidance.