What are the rules on exceptions?
In detail
- When can we rely on an exception to make a restricted transfer?
- What are the exceptions?
- What do we need to consider before relying on an exception?
- How do we decide if a restricted transfer is necessary and proportionate?
- How do we decide if the transfer is proportionate?
When can we rely on an exception to make a restricted transfer?
The UK GDPR contains rules about transfers of personal information to separate organisations outside the UK. These rules only apply if you’re making what we refer to as a ‘restricted transfer’. For more information about when the transfer rules apply, please read A guide to international transfers.
When you make a restricted transfer, you must ensure that the transfer is covered by:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception (called a “derogation” in the legislation).
If there are no UK adequacy regulations or appropriate safeguards covering your restricted transfer, you must ensure that one of the exceptions set out in article 49 of the UK GDPR applies. If you can’t identify an appropriate exception, you must not make the restricted transfer.
For most exceptions, you should consider if the restricted transfer and using an exception are both necessary and proportionate. These terms are explained below.
If you could use appropriate safeguards or obtain explicit consent, it’s less likely to be necessary and proportionate to rely on one of the exceptions to make the restricted transfer.
You can also use an exception alongside your chosen safeguard.
If you complete a transfer risk assessment (TRA) and decide that for some or all of the information you’re proposing to transfer:
- your chosen safeguard doesn’t provide enough protection for people’s information, and
- you’re not able to take extra steps or put in place extra protections,
you could consider whether an exception applies for the information for which the protection is materially lower. The exception only needs to cover the information and the risks that you’re chosen safeguard doesn’t sufficiently protect against.
If you’re making restricted transfers that are regular and predictable, or systematic, you’re less likely to show that an exception is necessary and proportionate.
You must consider every exception you use on a case-by-case basis and should document your justification.
Further reading – ICO guidance
What are the exceptions?
You can make a restricted transfer if one of the following exceptions applies:
- you’ve obtained explicit consent for the transfer from the person the information is about;
- the transfer is necessary for performing a contract with the person the information is about;
- the transfer is necessary to conclude or perform a contract with a third party, and doing so benefits the person the information is about;
- the transfer is necessary for important reasons of public interest recognised in UK law;
- the transfer is necessary to establish, make or defend a legal claim;
- the transfer is necessary to protect someone's vital interests (eg a medical emergency) and the person the information is about isn't able to give their consent;
- the disclosure is from a public register; or
- the transfer is a one-off transfer necessary for your compelling legitimate interests.
Each of the exceptions is covered in more detail below.
What do we need to consider before relying on an exception?
If you’re making restricted transfers that are regular and predictable, or systematic, you’re less likely to be able to show that an exception is necessary and proportionate.
For most of the exceptions (except consent or disclosures from a public register), you must ensure the restricted transfer is necessary. This does not mean that the transfer has to be absolutely essential. However, you should ensure it is:
- more than just useful and standard practice; and
- a targeted and proportionate way of achieving a specific purpose.
You should first consider if you can reasonably achieve the same purpose by other means. For example, if it is reasonable and proportionate to put in place appropriate safeguards (eg an international data transfer agreement (IDTA)), including any extra steps and protections identified whilst carrying out your TRA), it’s unlikely to be necessary and proportionate to rely on an exception.
It's not enough to argue that the transfer is necessary because you’ve chosen to operate your business in a particular way. The question is whether the transfer is objectively necessary and proportionate for the stated purpose, not whether it's a necessary part of your chosen methods.
When you transfer personal information on the basis of an exception, there is a danger that the information (and the person concerned) will lose all protection once you’ve transferred it. You should reduce the risk by putting other protections in place, which will help to make relying on the exception more proportionate, for example:
- a safeguard with a TRA which identifies the information which is not sufficiently protected;
- professional rules (eg legal privilege);
- contractual protections (eg a confidentiality agreement or binding obligations to delete the information soon after transfer); or
- technical and organisational measures to protect the information (eg pseudonymisation and restrictions on accessing or using the information).
In line with the accountability principle, you should justify and document your reasons for relying on an exception.
How do we decide if a transfer is necessary and proportionate?
To help you decide whether it is necessary and proportionate, you should map out the transfer of information and record the specific circumstances of the restricted transfer. This includes details of any protection that is in place for the information. When doing this, you should consider and document the following (unless you’ve already documented it as part of a separate TRA):
- Are there appropriate safeguards in place for any of the information? (If there are, your TRA will have identified if there is any risk that some or all of the information will not be sufficiently protected.)
- Who are you transferring the information to?
- What kind of organisation is the receiver (eg a public regulator like the ICO, an IT company, a parent or service company in your group)?
- Is the receiver a controller, joint controller, processor or sub-processor?
- Where is the receiver located?
- Will the receiver transfer the information to any other organisations? If so, what will they do with the information?
- How long will the receiver hold or access the information?
- Why are you making the transfer?
- What will the receiver do with the information?
- What type(s) of information are you transferring?
- Does it include any special categories of personal information, or other sensitive types of information such as financial transaction data, location data or confidential records?
- Who is the information about (eg customers, employees or business contacts)?
- How much personal information are you transferring?
- Are there protections for the information because of the type of organisation or person the receiver is?
- Does the receiver have to comply with professional rules or other rules which apply in addition to the general legal regime of the destination country (eg if the receiver is a law firm, it may be subject to rules of professional conduct or rules of privilege)?
- Are there any other contractual protections (eg a confidentiality agreement)?
- What technological and organisational security measures will the receiver have in place to protect the information?
- Is the information pseudonymised or encrypted?
- How are you transferring the information?
- Are you transferring it by email, website encryption or secure file transfer protocol (SFTP)?
- Does it involve remote access to information stored in the UK?
- What is the format of the transferred information (eg plain text)?
- How often will you transfer information?
- Are you making a one-off transfer, or will you be transferring information continuously, hourly, daily, monthly, annually, etc?
When is it proportionate to make the transfer?
Having mapped out your information flows and the specific circumstances of the restricted transfer, you should consider whether it is proportionate to make the restricted transfer to meet the purpose set out in the exception you identified.
There are two aspects to proportionality:
- You should consider whether there are any alternative options available to you to meet your purpose, which don’t involve making a restricted transfer. If it’s more proportionate to use an alternative option, it’s unlikely that you can justify making a restricted transfer.
| More likely to be proportionate to make the restricted transfer | Less likely to be proportionate to make the restricted transfer |
| Alternative option is significantly higher cost. | Alternative option is around the same cost. |
| Alternative option is significantly less beneficial to people. | Alternative option is similarly or more beneficial to people. |
| There is a higher risk of harm to people if you use the alternative option. | There is a similar or lower risk of harm to people if you use the alternative option. |
- You should also consider whether it is more proportionate to put in place appropriate safeguards for some, or all, of the information instead of using an exception.
| More likely to be proportionate to rely on the exception | Less likely to be proportionate to rely on the exception |
| Occasional transfers. | Regular and predictable transfers, or systematic transfers. |
| Lower volume of information. | Higher volume of information. |
| Lower risk of harm to people once you’ve transferred the personal information. | Higher risk of harm to people once you’ve transferred the personal information. |
| Other protections for the personal information are available if you transfer it. | No other known protections for the personal information if you transfer it. |
If it is more proportionate to put appropriate safeguards in place, you should do so.