Transfers to ‘third countries’ (ie countries outside the UK) are known as ‘restricted transfers’. It’s prohibited to transfer personal data to third countries unless safeguards (eg standard contractual clauses (SCCs)) are put in place. This will often involve incorporating the safeguards into the DPA.
Personal data can be transferred outside the European Economic Area (EEA) (eg to the United States of America), provided that such safeguards are in place.
Under this DPA, personal data belonging to both UK and EU data subjects can be transferred under the ‘new’ EU SCCs and the International Data Transfer Addendum.
Under this DPA, personal data belonging to UK data subjects only can be transferred under:
Anyone relying on the 'old' EU SCCs must update their agreements no later than 21 March 2024 and use the IDTA.
For more information, read International transfers of personal data and Standard contractual clauses.