Skip to main content
Hafan

About this guidance

Contents

This guidance discusses in detail the exceptions (called “derogations” in the legislation) from the rules on international transfers. It is aimed at Data Protection Officers (DPOs) and those with specific data protection responsibilities.

It provides guidance on what the exceptions are and when they apply. It sets out what you need to do to comply with the legislation.

The guidance provides some examples to help illustrate how the legislation might apply in practice. However, we do not address every aspect of regulatory compliance that you are subject to.

You should read this guidance in conjunction with our other guidance. For broader guidance on data protection compliance, see our Guide to data protection.

If you’re processing information for law enforcement purposes, please read our separate guidance on international transfers in our Guide to law enforcement processing.

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply. 

 

Legislative or legal requirements

Must refers to: 

  • legislative requirements within our remit; or 
  • established case law (for the laws that we regulate) that’s binding. 

Good practice 

  • Should doesn’t refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there’s a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law. 
  • Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.