Profile information Account settings
Help Contact us
Sign up Log in
Help Contact us

International transfers of personal data

Transfers of personal data to recipients outside the UK (ie a 'third country') are prohibited under the law on data protection unless certain safeguards are put in place. Such transfers to third countries are known as ‘restricted transfers’. This affects all organisations that engage in international transfers, for example, cloud-based services. Such organisations need to implement lawful data transfer mechanisms in order to be compliant.

International transfers to a recipient in a third country may take place, without a need to obtain any further authorisation, if the UK has decided that such a third country ensures an adequate level of data protection. The European Economic Area countries are all currently considered adequate. The current list of countries considered 'adequate' can be found on the Information Commissioner's Office (ICO)'s website.

You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Adequate safeguards may be provided for by:

Binding corporate rules

International data transfers within a corporate group may take place on the basis of Binding Corporate Rules (BCRs). BCRs require approval from Data Protection Authorities (such as the ICO), but once such approval is obtained, individual transfers made under the BCRs do not require further approval.

BCRs are like a code of conduct, allowing multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.

Model clauses

International data transfers may take place on the basis of standard data protection clauses approved by the UK. From 1 January 2021, the UK will be able to produce its own SCCs for transfers made from the UK. On 4 June 2021, the European Commission published new SCCs under the EU’s GDPR - these are not valid for restricted transfers from the UK.

The ICO has approved the use of the model clauses as a means of ensuring adequacy, however, this approval only extends to use of the model clauses as they stand, with additional contractual language added to them that doesn't contradict them in any way.

There are two sets of model clauses produced by the ICO. One governs controller-to-controller transfers and the other controller-to-processor transfers. You can find both sets of model clauses on the ICO's website.


International data transfers may take place on the basis of certifications. Certifications provide organisations with a formally recognised confirmation of compliance with UK data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.

For more information about this complex area, Ask a lawyer.

On 1 January 2021, the UK became a ‘third country’ (a country outside of the EU), for the purpose of personal data transfer outside the EU.

On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and EEA to the UK. This brings an end to uncertainty over transfers of personal data to the UK.

This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional contractual paperwork, measures or assessments. The adequacy will be reviewed every 4 years (provided the UK continues to ensure an adequate level of data protection) and the Commission will intervene if necessary.


Businesses should ensure they are clear about transfers of personal data in their Privacy policies.

We use cookies to provide the best experience