The GDPR Essentials: International Data Transfers

4th September 2024

International Data Transfers

The UK GDPR has rules for transferring personal data outside the UK to make sure it stays just as protected as it would be within the UK.

A transfer outside of the UK is considered a restricted transfer if you are initiating and agreeing to send personal data, or making it accessible, to a receiver (whether an organisation or individual) located outside the UK, and the receiver is a separate controller or processor, and legally distinct from you. For example, it is not a restricted transfer if you are sending personal data to someone employed by you, nor is it considered a restricted transfer if you are a processor sending or returning personal data to the controller, as this data flow remains the controller’s responsibility.

The UK GDPR allows you to make restricted transfers if at least one of the following is satisfied:

  • The transfer is covered by adequacy regulations. This means that the legal framework in the country you are transferring the personal data to has been assessed as providing adequate protection for data subjects rights and freedoms about their personal data.
  • The transfer is covered by appropriate safeguards. A list of these safeguards is contained in Article 46 of the UK GDPR but the most used is standard data protection clauses, either the International Data Transfer Agreement (IDTA) or an International Data Transfer Addendum (Addendum) which is an addendum to the standard contractual clauses issued by the European Commission under the EU DGR. These EU standard contractual clauses are not valid for restricted transfers under UK GDPR on their own but using the Addendum allows you to rely on the EU standard contractual clauses for your transfers under the UK GDPR.

If you transfer personal data to a territory outside the UK which is not covered by adequacy regulations, you must have either the IDTA or the Addendum in place.

Both the IDTA and Addendum are approved by UK parliament, but one may be more appropriate than the other. For example, the IDTA is a standalone agreement intended to be used for UK transfers only without also having to enter into the EU standard contractual clauses and so is more appropriate for organisations which are only UK-based and only process personal data to which the UK GDPR applies. On the other hand, the Addendum, is an “add-on” to the EU standard contractual clauses and so will be useful for multinational organisations that make numerous transfers of personal data that are subject to both the UK GDPR and EU GDPR.

Before using an Article 46 transfer mechanism for a restricted transfer, you must first conduct a transfer risk assessment. This mandatory assessment evaluates the risks of transferring personal data from the UK and determines if any extra safeguards are needed to ensure the data remains adequately protected.

If you transfer personal data outside the UK and require advice on how to legitimise this transfer, please contact sophiebrazier@schofieldsweeney.co.uk.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality