International Data Transfers
The UK GDPR has rules for transferring personal data outside the UK to make sure it stays just as protected as it would be within the UK.
A transfer outside of the UK is considered a restricted transfer if you are initiating and agreeing to send personal data, or making it accessible, to a receiver (whether an organisation or individual) located outside the UK, and the receiver is a separate controller or processor, and legally distinct from you. For example, it is not a restricted transfer if you are sending personal data to someone employed by you, nor is it considered a restricted transfer if you are a processor sending or returning personal data to the controller, as this data flow remains the controller’s responsibility.
The UK GDPR allows you to make restricted transfers if at least one of the following is satisfied:
- The transfer is covered by adequacy regulations. This means that the legal framework in the country you are transferring the personal data to has been assessed as providing adequate protection for data subjects rights and freedoms about their personal data.
- The transfer is covered by appropriate safeguards. A list of these safeguards is contained in Article 46 of the UK GDPR but the most used is standard data protection clauses, either the International Data Transfer Agreement (IDTA) or an International Data Transfer Addendum (Addendum) which is an addendum to the standard contractual clauses issued by the European Commission under the EU DGR. These EU standard contractual clauses are not valid for restricted transfers under UK GDPR on their own but using the Addendum allows you to rely on the EU standard contractual clauses for your transfers under the UK GDPR.
If you transfer personal data to a territory outside the UK which is not covered by adequacy regulations, you must have either the IDTA or the Addendum in place.
Both the IDTA and Addendum are approved by UK parliament, but one may be more appropriate than the other. For example, the IDTA is a standalone agreement intended to be used for UK transfers only without also having to enter into the EU standard contractual clauses and so is more appropriate for organisations which are only UK-based and only process personal data to which the UK GDPR applies. On the other hand, the Addendum, is an “add-on” to the EU standard contractual clauses and so will be useful for multinational organisations that make numerous transfers of personal data that are subject to both the UK GDPR and EU GDPR.
Before using an Article 46 transfer mechanism for a restricted transfer, you must first conduct a transfer risk assessment. This mandatory assessment evaluates the risks of transferring personal data from the UK and determines if any extra safeguards are needed to ensure the data remains adequately protected.