Glossary
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Addendum: short for the ‘international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’. This is an addendum to the standard contractual clauses issued by the European Commission under the EU GDPR (EU SCCs) on 4 June 2021. Organisations subject to the UK GDPR can use the Addendum as a ‘safeguard’. See also ‘safeguards’ and ‘appropriate safeguards’.
Adequacy regulations: regulations made by the UK government about countries, or territories or sectors in a country, or international organisations, that it has assessed as having a level of data protection that is ‘not materially lower’ than in the UK. See also ‘full adequacy regulations’ and ‘partial adequacy regulations’.
Appropriate safeguards: when a sender chooses one of the ‘safeguards’ listed in the UK GDPR, it becomes ‘appropriate safeguards’ when the sender has completed a transfer risk assessment (TRA) and taken any extra steps necessary to ensure the level of protection in the destination country is ‘not materially lower’ than in the UK after it transfers the information. See also ‘safeguards’ and ‘transfer risk assessment’.
Cloud service provider (CSP): an organisation that provides cloud-based services.
Data protection test: a term introduced by the Data (Use and Access) Act (DUAA). It describes the requirement for the sender, acting reasonably and proportionately, to decide that the standard of protection for people’s information is ‘not materially lower’ than in the UK after it’s transferred. The sender must satisfy this test when relying on appropriate safeguards to make a restricted transfer of personal information. See also ‘appropriate safeguards’ and ‘transfer risk assessment’.
EU standard contractual clauses (EU SCCs): standard contractual clauses issued by the European Commission for international data transfers under the EU GDPR on 4 June 2021.
Exceptions (derogations): eight specific circumstances, set out in article 49 of the UK GDPR, where a restricted transfer may be made if there are no adequacy regulations and no appropriate safeguards in place.
Full adequacy regulations: adequacy regulations that cover all restricted transfers to a specified country or international organisation. See also ‘adequacy regulations’ and ‘partial adequacy regulations’.
International data transfer agreement (IDTA): standard data protection clauses for restricted transfers laid before Parliament by the Secretary of State on 2 February 2022 and issued by the ICO. Organisations can use the IDTA as a ‘safeguard’. See also ‘safeguards’ and ‘appropriate safeguards’.
International organisation: as defined in Article 4(26) of the UK GDPR, ‘an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries’.
Onward transfer: occurs when an organisation located outside the UK receives a restricted transfer of personal information and then transfers that information on to another separate organisation, also located outside the UK.
Partial adequacy regulations: adequacy regulations that cover some, but not all, restricted transfers to a specified country. It may only cover restricted transfers:
- to specific types of organisation or sectors;
- of specific types of personal information;
- to specific regions or territories of a specified country; or
- if specific conditions or circumstances apply.
Receiver: an organisation receiving a restricted transfer of personal information from a sender. See also ‘sender’.
Restricted transfer: a transfer where:
- the UK GDPR applies to the processing of the personal information being transferred;
- the sender is initiating the transfer to a receiver located outside the UK; and
- the receiver is a separate legal entity from the sender.
See also ‘transfer’.
Safeguard: one of the ‘safeguards’ for restricted transfers listed in the UK GDPR. Each safeguard is designed to make sure that both the sender and the receiver are legally required to protect people’s personal information. See also ‘appropriate safeguards’.
Sender: the organisation making a restricted transfer of personal information to a receiver. See also ‘receiver’.
Sub-processor: a processor contracted by another processor to carry out specific processing activities on behalf of a controller.
Transfer (or international transfer): sending personal information or making personal information accessible to a separate organisation located outside the UK.
Transfer risk assessment (TRA): a risk assessment required when using appropriate safeguards to make restricted transfers under the UK GDPR. It ensures the standard of protection for people’s information is not materially lower after it’s been transferred. With the introduction of the DUAA, a TRA is now referred to in UK legislation as a ‘data protection test’. We still use the term ‘transfer risk assessment’ and TRA in our guidance. See also ‘data protection test’.
Transfer rules: restrictions and requirements set out in Chapter V of the UK GDPR.
Transit: where personal information is only electronically routed through a place.
UK: United Kingdom of Great Britain (England, Scotland and Wales) and Northern Ireland.