Skip to main content
Hafan

What are the exceptions?

Contents

In detail

 

What is explicit consent? 

You can make a restricted transfer if you have the explicit consent of the person the information is about. 

You must ensure that explicit consent is both specific and informed about the restricted transfer you want to make. Therefore, when you’re asking someone for their consent, you must give them precise details about the specific restricted transfer you want to make.

You should tell people:

  • the identity of the receiver, or the categories of receiver;
  • the country you’re transferring the information to;
  • why you need to make a restricted transfer;
  • the type of information you’re transferring;
  • they are able to withdraw consent; and
  • the possible risks involved in you making a restricted transfer to the country without any other safeguards in place.

For more information, please read our guidance on consent.

This exception does not apply to public authorities when exercising their public powers.

You could rely on this exception if you’re also putting in place an appropriate safeguard. This may be the case if, from your TRA, you decide that your appropriate safeguard does not provide sufficient protection for all risks. If so, to obtain explicit consent, you should still set out the above information, but you only need to cover the risks which are not sufficiently protected by the appropriate safeguard.

Example

A UK firm intends to enter into an IDTA with the receiver of personal information in another country. It completes its TRA and identifies there are risks that may not be sufficiently protected by the IDTA.

It decides to still put in place the IDTA, as it contains many useful protections. It also asks the person it’s transferring personal information about to give their explicit consent to the restricted transfer, setting out the details of only those risks which the TRA identified as not being sufficiently protected. 

The firm documents its use of the exception.

Relevant provisions in the legislation

Further reading - ICO guidance

  • Consent
  • Appropriate safeguards
  • Transfer risk assessments

 

 

What is a contract with the person?

You can make a restricted transfer if:

  • you have a contract with the person you’re transferring information about or you’re about to enter into a contract with that person; and
  • it is necessary to make the restricted transfer so you can carry out:
    • your obligations in the contract; or
    • pre-contract steps requested by that person.

This exception only applies if the restricted transfer is necessary for the core purpose of the contract or the pre-contract steps.

This exception does not apply to public authorities when exercising their public powers.

Example

A UK travel company offers bespoke travel arrangements. A customer wishes to reserve a room in a Peruvian hotel. The UK travel company does not routinely arrange for its customers to stay at this hotel. The travel company needs to send the customer’s information to the hotel before the contract between the customer and the travel company is concluded in order to hold the room. This is a pre-contract step at the request of the customer, who the company is transferring the information about. 

The travel company relies on this exception to send personal information to the hotel in Peru. It does this because it does not routinely arrange for its customers to stay at that hotel. If it did, it should consider using an appropriate safeguard (eg the IDTA). It only sends limited personal information that is necessary and proportionate for this purpose, such as the name of the customer, the room required and the length of stay. 

The company also documents its use of the exception.

 

Example

A UK events company routinely sends personal information to a conference centre outside the UK. It intends to put in place an IDTA. When it carries out its TRA, it has concerns that the information will not have appropriate safeguards in that country. 

The events company enters into the IDTA, as it contains many useful protections. It also relies on this exception for the aspects not covered by the IDTA. This is because the events company considers the restricted transfer is necessary and proportionate for the performance of its contracts with its customers, having considered any risks to the customers if their information is transferred to that country. 

The company documents its use of the exception.

 

Relevant provisions in the legislation

 

What is a contract in the person’s interest?

You can make a restricted transfer if you have, or are about to enter into, a contract which is not with the person you’re transferring the information about, as long as:

  • the contract is for their benefit or in their interests; and 
  • it is necessary to make the restricted transfer so you can:
    • carry out your obligations in the contract (for the core purpose of the contract); or
    • enter into that contract.

This exception does not apply to public authorities when exercising their public powers.

You may rely on this exception as well as the previous exception (a contract with the person) at the same time for the personal information of: 

  • the person entering into the contract (a contract with the person); and
  • other people benefiting from that contract, often family members (a contract in the person’s interest).

These two exceptions are not identical. This exception does not apply to restricted transfers for steps you’re required to take before entering into the contract. 

Example 

A UK travel company offers bespoke travel packages. A customer buys a package to a particular Peruvian hotel for themselves and their family. The travel company does not routinely arrange for its customers to stay at this hotel. 

The travel company previously held the room booking using the customer’s name. To now secure the reservation, it needs to send the names of the family members to the hotel too. 

The travel company relies on this exception to send this personal information to the hotel in Peru. It does this because it does not routinely arrange for its customers to stay at that hotel. If it did, it should consider using an appropriate safeguard, such as the IDTA. This is a restricted transfer that is necessary for the UK travel company to carry out its obligations in its contract with the customer and that is for the benefit of the other family members.

The travel company documents its use of the exception.

 

Relevant provisions in the legislation

What is public interest?

You can make a restricted transfer if it is necessary for important reasons of public interest.

You must ensure that the public interest is recognised in UK law. This does not include international treaties or agreements, but it does include any UK law made to give effect to an international agreement or treaty.

When deciding whether you can rely on this exception, you must consider whether:

  • there is a UK law that recognises the activity in question; and 
  • the transfer is in the public interest.

You may need to seek legal advice when considering whether this exception applies.

This exception applies to both public and private organisations.

Examples when this exception may apply include international exchanges of personal information:

  • between competition authorities, tax or customs administrations;
  • between financial supervisory authorities for their regulatory functions;
  • between public authorities dealing with social security matters; or
  • for public health reasons (eg contact tracing for contagious diseases or to reduce or eliminate doping in sport).

Example

A UK firm regulated by both the Financial Conduct Authority (FCA) and the US Securities and Exchange Commission (SEC) is subject to occasional regulatory examinations by the SEC. One of the purposes of the examinations is to prevent financial crime. The SEC is legally entitled to request and examine books and records held by the UK firm as part of the examination. 

In order to produce the books and records for the SEC, the firm needs to transfer personal information from the UK to the US. The transfer is not covered by the UK Extension to the EU-US Data Privacy Framework and there are currently no appropriate safeguards in place (eg the IDTA).

The SEC is acting within its regulatory powers when carrying out examinations and has the power to require firms to produce the relevant books and records it needs to complete the investigation. FCA regulated firms are legally required to deal with regulators, including overseas regulators, in an open and cooperative way. Facilitating SEC examinations through data sharing is part of fulfilling this legal obligation.

The UK firm assesses each request for information from the SEC on a case-by-case basis. SEC examinations are not public: documents are maintained in a secure environment and under strict confidentiality. The firm therefore decides that the transfer is necessary and proportionate in the circumstances for important reasons of public interest (in particular, its duty to cooperate with overseas regulators, and maintain financial stability and prevent financial crime). 

The firm documents its use of the exception.

 

Relevant provisions in the legislation

What is a legal claim?

You can make a restricted transfer if it is necessary to establish, exercise or defend a legal claim for you or someone else.  

‘Legal claims’ in this context are not limited to current legal proceedings. They include processing necessary for:

  • actual or prospective court proceedings;
  • obtaining legal advice (about a specific claim or otherwise); or
  • establishing, exercising or defending legal rights in any other way.

You must be able to justify why transferring this specific information is ‘necessary’ to establish, exercise or defend the legal claim. You must ensure that it is relevant and proportionate, and you must only transfer the minimum amount of information needed for this.

The exception applies if you or another person involved in the legal claim:

  • are engaged in pre-action correspondence;
  • are taking advice about the legal risk in bringing or defending a claim; or 
  • have received a request for information from an overseas regulator with a view to it potentially taking formal action.

You can rely on the exception before proceedings have started or formal steps have been taken. However, this exception does not apply if there is only the possibility of a legal claim or other formal proceedings in the future. 

This exception applies to both public and private organisations.

Relevant provisions in the legislation

What are vital interests?

You can make a restricted transfer if it is necessary to protect a person’s vital interests. This may or may not be the vital interests of the person you’re transferring information about. 

Vital interests are intended to cover only interests that are essential for someone’s life. So, this exception is very limited in its scope and generally only applies to matters of life and death. 

This exception only applies if the person you’re transferring information about is unable to give their consent. This may be because the person is physically or legally incapable of giving consent, for example:

  • The person is unconscious.
  • You’re not able to contact the person. And, given the circumstances, you’ve taken reasonable and proportionate steps to try and contact them. In an emergency, it can be reasonable and proportionate not to even try to contact them.
  • You don’t have time to provide the person with all the information needed for their explicit consent.
  • The person is not capable of understanding all the information needed for their explicit consent.

You should ask for explicit consent if possible.

This exception is likely to be most relevant where you urgently need to use a person’s personal information for medical care, but they are unconscious or otherwise incapable of giving consent.

You must ensure that the risk to a person’s vital interests outweighs any data protection concerns. Therefore, you must not rely on this exception for general medical research.

This exception applies to both public and private organisations.

Example

A UK resident falls into a coma whilst in the US. Their GP surgery in the UK needs to transfer their medical history to the US hospital for their essential medical treatment. 

The surgery can rely on this exception and documents its use.

The GP surgery should not rely on this exception if the UK citizen is awake, capable of giving explicit consent and there is time to get it.

 

Example

The US hospital needs information about the UK resident’s family medical history from their mother in the UK. The patient’s mother has severe dementia and is incapable of giving consent. Her GP surgery in the UK relies on this exception to transfer the relevant family history to the US hospital.

The surgery documents its use of the exception.

Relevant provisions in the legislation

Further reading – ICO guidance

What is a public register?

You can make a restricted transfer of information from a public register.

You must ensure that the register is created under UK law and is open to either:

  • people in general; or
  • any person who can demonstrate a legitimate interest.

Examples of public registers include registers of: 

  • companies; 
  • associations; 
  • land registers; or 
  • public vehicle registers.

The greater the volume of the public register you’re transferring, the less likely the restricted transfer is to be proportionate. It’s unlikely to be proportionate to make the restricted transfer if you’re transferring: 

  • the whole of the public register; or 
  • a whole set of one of the categories of personal information on the public register.

In order to rely on this exception, you must ensure that the transfer complies with the UK laws which apply to consultations and disclosures from that public register.

In some cases, the register may only be open to people who can show a legitimate interest in requiring access to the information. If so, you must take into account, as part of your legitimate interest assessment, that you’re sending the personal information to a country with less protection for the people the information is about.

This exception does not apply to private companies who create and hold registers (eg credit reference databases).

Relevant provisions in the legislation

What is a one-off transfer in our compelling legitimate interests?

You can make a restricted transfer if it is a one-off and in your compelling legitimate interests.

You should only rely on this exception in exceptional circumstances. e

This exception does not apply to public authorities when exercising their public powers.

You must ensure that all the following apply to your restricted transfer:

  • You’re unable to use any of the appropriate safeguards. You must not rely on this exception if you’re able to use one of the appropriate safeguards (even if it would involve significant costs to you).
  • None of the other exceptions apply. You should give serious consideration to the other exceptions first. For example, you may be able to obtain explicit consent with some effort or investment.
  • Your transfer is not part of a repetitive pattern. It may happen more than once, but you must ensure that the transfer is not regular and predictable, or systematic.
  • The personal information only relates to a limited number of people. There is no absolute threshold for this. You should consider the number of people involved as part of the balancing exercise discussed below.
  • You must ensure the transfer is necessary for your compelling legitimate interests. This exception requires a higher standard, and you must have a compelling legitimate interest. Such as a situation where there are serious consequences for you, if you’re unable to make the restricted transfer, or significant benefits if you do make the restricted transfer. For example, transferring personal information to protect a company’s IT systems from serious immediate harm. Please see our guidance on legitimate interest as a lawful basis for processing.
  • On balance, your compelling legitimate interests outweigh people’s rights and freedoms. You must balance the serious consequences for you if you’re unable to make the restricted transfer, or the significant benefits if you do make it, against the risk of harm to people if you make the restricted transfer. You should take into account the number of people the information relates to because this may affect the risk of harm.
  • You’ve made a full assessment of the circumstances surrounding the transfer and provided suitable safeguards to protect the personal information, for example:
    • an appropriate safeguard that provides sufficient safeguards for some, but not all, of the risks detailed in your TRA;
    • a strict confidentiality agreement;
    • a legal requirement for the recipient to delete the information soon after transfer;
    • technical controls to prevent the recipient using the information for other purposes, or automatically deleting the information soon after transfer; or
    • sending pseudonymised or encrypted information.

      You must record this in full in your documentation of your processing activities.
  • You’ve informed and explained the restricted transfer to the person you’re transferring information about, including why your compelling legitimate interest outweighs any risk of harm to them.
  • You’ve informed the ICO about the transfer. We will ask to see full details of all the steps you’ve taken, as set out above. If we do not agree with your assessment, we may advise you that the restricted transfer is a breach of the UK GDPR transfer rules, and we will consider if it is appropriate for us to use our regulatory powers. You can notify us by emailing [email protected].

Relevant provisions in the legislation

Further reading – ICO guidance