What is a code of conduct approved by the ICO?

The UK GDPR endorses the use of approved codes of conduct to demonstrate compliance with its requirements. We are responsible for approving such codes.

You can make a restricted transfer under an approved code of conduct if:

the code permits organisations located outside the UK to sign up to it; and
the receiver located outside the UK has signed up to the code.

The code of conduct must include safeguards to protect the rights of people the transferred information is about, alongside binding and enforceable commitments by the receiver to apply those safeguards.

Before you rely on the approved code as a safeguard, you must complete a TRA to make sure the standard of protection for people’s information is not materially lower after you transfer it.

There are currently no approved UK codes of conduct for restricted transfers. We plan to publish dedicated guidance on using codes of conduct for restricted transfers in 2026.

Further reading – ICO guidance