Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Environmental policy Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
COVID-19: Business legal help COVID-19: Individual legal help Protect intellectual property Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Evict tenants
Get divorced Apply for probate Make a lasting power of attorney Bespoke legal drafting
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
COVID-19: Business legal help COVID-19: Individual legal help Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /site/gb/en
  2. Legal guides
  3. International transfers of personal data

International transfers of personal data

Transfers of personal data to recipients outside the European Economic Area (EEA), ie a 'third (non-EU) country' is prohibited under the law on data protection unless certain safeguards are put in place. This affects all organisations that engage in international transfers, for example, cloud-based services. Such organisations need to implement lawful data transfer mechanisms in order to be compliant.

International transfers to a recipient in a third country may take place, without a need to obtain any further authorisation, if the European Commission has decided that such third country ensures an adequate level of data protection. The current list of countries considered 'adequate' can be found on the European Commission's website.

You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Adequate safeguards may be provided for by:

Binding corporate rules

International data transfers within a corporate group may take place on the basis of Binding Corporate Rules (BCRs). BCRs require approval from Data Protection Authorities (such as the Information Commissioner's Office (the ICO)), but once such approval is obtained, individual transfers made under the BCRs do not require further approval.

BCRs are like a code of conduct, allowing multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.

Model clauses

International data transfers may take place on the basis of standard data protection clauses approved by the European Commission. The ICO has approved the use of the model clauses as a means of ensuring adequacy, however, this approval only extends to use of the model clauses as they stand, with additional contractual language added to them that doesn't contradict them in any way.

There are two sets of model clauses produced by the European Commission. One governs controller-to-controller transfers and the other controller-to-processor transfers. You can find both sets of model clauses on the European Commission's website.

Certifications

International data transfers may take place on the basis of certifications. Certifications provide organisations with a formally recognised confirmation of compliance with EU data protection law, typically with an associated visual symbol, confirming that the organisation satisfies the requirements of the relevant seal or certification.

An example of such a certification is the EU-US Privacy Shield.

EU-US Privacy Shield

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data between organisations in the European Union and the United States. It imposes stronger obligations on US companies to protect Europeans' personal data, requiring them to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities, such as the ICO.

The Department of Commerce in the US, which oversees certification under the scheme, has a dedicated website that offers advice. It is important to remember that if the company you want to transfer data to is not certified under the EU-US Privacy Shield, its protections will not apply.

You can contact the ICO about the Privacy Shield by emailing: privacyshield@ico.org.uk.

For more information about this complex area, Ask a lawyer.

The Umbrella Agreement is a comprehensive high-level data protection framework for EU-US law enforcement cooperation (eg combating terrorism and other crime) which allows the transfer of personal data; it is separate from the EU-US Privacy Shield.

Follow us

We use cookies to provide the best experience