Appropriate safeguards
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates – last updated 15 January 2026
15 January 2026 – We’ve broken down the content of our previous Guide to international transfers into specific detailed guides, including this one on Appropriate safeguards. We’ve updated this guidance to reflect new language brought in by the Data (Use and Access) Act to refer to the standard of protection required when using one of the Article 46 “safeguards”.
About this guidance
This guidance discusses appropriate safeguards for international transfers in detail. It's aimed at Data Protection Officers (DPOs) and those with specific data protection responsibilities.
It provides information on what appropriate safeguards are and when they apply. It also sets out what you need to do to comply with the legislation.
In this guidance, we provide some examples to help illustrate how the legislation might apply in practice. However, we don't address every aspect of regulatory compliance that applies to you.
You should read this guidance in conjunction with our other guidance on international transfer. For more information on data protection compliance, see our Guide to data protection.
If you’re processing information for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), please read our separate guidance on international transfers in our Guide to law enforcement processing.
Contents
- What are the rules on appropriate safeguards?
- What is a legally binding and enforceable instrument?
- What are binding corporate rules?
- What are standard data protection clauses (the UK IDTA and Addendum)?
- What is a code of conduct approved by the ICO?
- What is certification under a certification scheme approved by the ICO?
- What are contractual clauses authorised by the ICO?
- What is an administrative arrangement authorised by the ICO?