International data transfers


International data transfers are a key component of our increasingly connected and digitalised world. Understanding the law on international transfers is essential to unlocking opportunities while protecting individuals’ privacy.

The UK GDPR restricts the transfer of personal data where:

  • The UK GDPR applies to processing of the personal data being transferred.
  • Personal data is sent, or made accessible, to a receiver to which the UK GDPR will not apply in relation to their processing of the data (usually because they are in a country outside of the UK).
  • The data receiver is legally distinct from sender as it is a separate company, organisation or individual.

It is possible to make a restricted transfer if the receiver is in a third country or territory, or is an international organisation, covered by UK adequacy regulations.

"Adequacy" is a status granted by the UK to countries which provide high standards of protection for personal data. An adequacy determination means that personal data can be transferred from the UK to that country freely, in accordance with the terms of the relevant adequacy decision.

UK "adequacy" regulations cover the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020. The UK intends to review these adequacy regulations over time, and further countries may be deemed to have adequate protections by the Secretary of State.

If there are no UK adequacy regulations in place for the recipient country, territory or sector of the restricted transfer, the transfer can only be made subject to appropriate safeguards being in place.

There is a list of appropriate safeguards in the UK GDPR. Each ensures that both the data exporter and the receiver of the restricted transfer are legally required to protect individuals’ rights and freedoms in respect of their personal data. Appropriate safeguards include:

  • A legally binding and enforceable instrument between public authorities.
  • Binding corporate rules.
  • Standard contractual clauses approved by the Secretary of State or the Information Commissioner.
  • An approved code of conduct.
  • An approved certification mechanism.

Before relying on any adequate safeguards, the data exporter must first carry out a transfer impact assessment.

The Schrems II judgement embedded transfer impact assessments into the rules on international data transfers. The court held that data exporter must verify on a case-by-case basis what protections apply (where appropriate in collaboration with the data importer) before relying on appropriate safeguards. The risk assessment considers the protections contained in that appropriate safeguard and the legal framework of the destination country.

If the restricted transfer is not covered by appropriate safeguards or a UK adequacy regulation, then the data exporter can only make that transfer if it is covered by one of the 2exceptions" set out in Article 49 of the UK GDPR.

In limited circumstances where the exceptions may apply, the restricted transfer may go ahead with the restricted transfer provided that the data exporter and date receiver still comply with the rest of the UK GDPR.

Data protection hub

View the hub now to explore additional legal resources.
Go to the hub

Your main contacts

Key takeaways


> International transfers will continue to play a vital role in connecting organisations and facilitating trade throughout the world.

> This is a dynamic area of law that continues to be subject to debate in the UK, the European Union and the rest world where differing views and regimes can conflict (see our key resources for recent cases and consultations in the UK on the direction of UK international transfer laws).

> While laws on international data transfers can appear daunting, successful compliance can help unlock opportunities while giving people confidence that their personal data will be protected when transferred overseas.