Interactive guidance tool – Do the rules on international transfers apply?

How does this tool work?

This is an interactive guidance tool for organisations making international transfers of personal information. It can help you decide whether you’re making a ‘restricted transfer’. If you’re making a restricted transfer, the transfer rules under the UK GDPR apply. The tool is modelled on the ‘three-step test’ set out in our guidance.

There are up to six questions and in most cases it should take you around 10 minutes to complete.

Based on your answers, you’ll be given some brief guidance on how the legislation is likely to apply to your transfer scenario. If we think you need more information, we’ll signpost you to the relevant detailed guidance on our website.

The results of this tool aren’t definitive and they aren’t legal advice. It’s your responsibility to make sure your processing complies with UK data protection law. You may want to seek your own legal advice.

What do we need to understand before using the tool?

There are many reasons why you may need to transfer personal information to separate controllers or processors located outside the UK.

People risk losing the protection of UK data protection law if their personal information is transferred outside the UK.  

On that basis, the UK GDPR contains rules about transfers of personal information to separate organisations located outside the UK. These ensure that people’s rights about their personal information are protected when their information is transferred outside the UK.

These rules only apply if you’re making what we refer to as a ‘restricted transfer’.

The rules apply to all types of organisations that handle personal information. We use ‘organisation’ in this tool to refer to any legal entity that is a controller or processor of personal information, including sole traders and self-employed individuals.

We use ‘transfer’ in this tool to refer to both:

• sending personal information to a separate organisation outside the UK; and
• making personal information accessible to a separate organisation outside the UK.

This tool only applies if you’re transferring personal information. If the information isn’t personal information, the UK GDPR doesn’t apply.

If you’re processing information for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), different rules apply. This tool isn’t designed for this context. See our separate guidance on international transfers in our Guide to law enforcement processing.

This tool focuses on the transfer rules under the UK GDPR. We can’t provide specific guidance on international transfers under the EU GDPR. If you think the EU GDPR applies to your processing, you should refer to the EU GDPR and guidance from the EU supervisory authorities or European Data Protection Board (EDPB).