Guide
International data transfers: UK GDPR requirements
How to legally transfer personal data outside the UK under UK GDPR. Covers adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA), exemptions, and Transfer Risk Assessments.
If your business sends personal data outside the UK, you must ensure adequate protections are in place. This applies whether you're transferring customer data to a cloud provider, sharing employee information with an overseas office, or using third-party services hosted abroad.
UK GDPR Chapter V sets out the rules for restricted transfers - transfers of personal data to countries outside the UK that don't have equivalent data protection standards. You cannot simply send personal data anywhere in the world; you need a lawful mechanism to do so.
When these rules apply
You're making a restricted transfer if you send personal data to:
- A country outside the UK (and EEA) without an adequacy decision
- An international organisation
- A cloud service provider whose servers are located outside the UK
- A subsidiary, branch, or partner in another country
Note: Transfers within the UK, and to the EEA (EU plus Iceland, Liechtenstein, Norway), are not restricted transfers.
Step 1: Check if the destination has an adequacy decision
The easiest way to transfer personal data outside the UK is to a country with an adequacy decision. This is a formal recognition by the UK government that a country provides an equivalent level of data protection to the UK.
If a country has an adequacy decision, you can transfer personal data there without additional safeguards - it's treated like a transfer within the UK.
- EEA (EU member states + Iceland, Liechtenstein, Norway)
- Covered by UK adequacy regulations. Transfers permitted without additional safeguards.
- Countries with UK adequacy decisions
- Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea (South Korea), Switzerland, United States (under EU-US Data Privacy Framework for certified organisations), Uruguay
- Adequacy bridge
- The EU has an adequacy decision for the UK (until June 2025, with potential renewal), enabling data flows between the EU and UK.
US Data Privacy Framework: The US does not have a blanket adequacy decision. Only transfers to US organisations that have self-certified under the EU-US Data Privacy Framework (DPF) benefit from adequacy-like protections. You must verify the recipient is on the DPF list before relying on this.
Check the current list: Adequacy decisions can change. Always verify the current status on the ICO website before making transfer decisions.
Step 2: Use appropriate safeguards if no adequacy decision
If transferring to a country without an adequacy decision, you must implement one of the following safeguards:
- Standard Contractual Clauses (SCCs)
- Pre-approved contract terms that the data importer agrees to, providing contractual protections for the data. Most common mechanism for businesses.
- UK International Data Transfer Agreement (IDTA)
- UK-specific alternative to EU SCCs. A standalone contract approved by the ICO that can be used for any type of transfer.
- UK Addendum to EU SCCs
- If you already use EU SCCs, you can add the UK Addendum to extend coverage to UK transfers. Simpler than adopting a completely separate contract.
- Binding Corporate Rules (BCRs)
- Approved internal policies for multinational groups. Complex and expensive to implement - typically only practical for large organisations.
- Approved codes of conduct
- Industry-specific codes approved by the ICO with enforceable commitments from data importers.
- Approved certification schemes
- Certification mechanisms approved by the ICO that include binding commitments.
Standard Contractual Clauses (SCCs)
SCCs are the most widely used mechanism for international transfers. They are pre-approved contract terms that bind the data importer to protect personal data to UK standards, even if local law is weaker.
Types of SCCs:
- Controller to Controller (C2C): When you share data with another organisation that decides how to use it
- Controller to Processor (C2P): When you send data to a service provider that processes it on your behalf
- Processor to Processor (P2P): When a processor engages a sub-processor
- Processor to Controller (P2C): Less common - when a processor sends data to a controller
You must select the appropriate module based on your relationship with the recipient.
UK International Data Transfer Agreement (IDTA)
The IDTA is the UK's own transfer mechanism, approved by the ICO in March 2022. It's designed specifically for UK GDPR and can be used as a standalone document.
When to use the IDTA:
- You're a UK-based organisation making transfers for the first time
- You want a single, simpler document instead of adapting EU SCCs
- You're setting up new vendor relationships
Key features:
- Tables to complete with transfer details (parties, data types, safeguards)
- Mandatory clauses that cannot be amended
- Some optional clauses that can be tailored
- Clear allocation of responsibilities between exporter and importer
UK Addendum to EU SCCs
If you already have EU SCCs in place (for EU GDPR compliance), you can add the UK Addendum to extend their coverage to UK data transfers. This is often simpler than adopting a completely separate IDTA.
When to use:
- You already have EU SCCs with a vendor
- You need to cover both EU and UK transfers to the same recipient
- Your vendor prefers to work with SCCs they're familiar with
The UK Addendum is a short document that references the EU SCCs and modifies them for UK law.
Step 3: Conduct a Transfer Risk Assessment (TRA)
Even with SCCs or an IDTA in place, you must assess whether the safeguards will work in practice. This is called a Transfer Risk Assessment (sometimes called a Transfer Impact Assessment).
You must assess:
- The laws of the destination country - could local authorities access the data?
- Whether the contractual protections can be enforced in that country
- The specific circumstances of your transfer (sensitivity of data, volume, recipient)
- Whether supplementary measures are needed to plug any gaps
-
Identify the transfer
Document what personal data you're transferring, to whom, in which country, and for what purpose. Map out your data flows to identify all international transfers.
-
Assess the destination country's laws
Research whether local laws allow government access to data, and whether the importer could be compelled to disclose it. The ICO provides country-specific guidance for common destinations.
-
Evaluate your chosen safeguard
Consider whether the SCC/IDTA protections are effective given the destination country's legal framework. If local law overrides the contract, the safeguard may not be sufficient.
-
Identify supplementary measures if needed
If risks exist, implement additional technical, contractual, or organisational measures. Examples: encryption where only you hold the key, pseudonymisation, additional audit rights.
-
Document your assessment
Keep a written record of your TRA, including your analysis and conclusions. You must be able to demonstrate compliance if challenged by the ICO.
-
Review regularly
TRAs should be reviewed when circumstances change - new laws in the destination country, changes to the data transferred, or new guidance from the ICO.
Supplementary measures
If your TRA identifies risks that SCCs/IDTA alone cannot address, you may need to implement supplementary measures:
- Technical measures: End-to-end encryption (where you control the keys), pseudonymisation, split processing across jurisdictions
- Contractual measures: Additional audit rights, transparency reporting, commitments to challenge government access requests
- Organisational measures: Due diligence on the importer, staff training, governance policies
If no combination of safeguards and supplementary measures can adequately protect the data, you should not make the transfer.
Exemptions (derogations)
In limited circumstances, you can transfer personal data without adequacy or safeguards. These exemptions should be used sparingly and do not allow for regular, repetitive transfers.
- Explicit consent
- The individual explicitly consents to the transfer after being informed of the risks. Consent must be freely given, specific, informed, and unambiguous. Not suitable for ongoing business transfers.
- Contract with the individual
- Transfer is necessary to perform a contract with the data subject (e.g., booking a hotel abroad) or to take pre-contractual steps at their request.
- Contract in the individual's interest
- Transfer is necessary for a contract between you and another party that is in the individual's interest (e.g., arranging travel on their behalf).
- Important reasons of public interest
- Transfer is necessary for important reasons of public interest recognised in UK law.
- Legal claims
- Transfer is necessary for establishing, exercising, or defending legal claims.
- Vital interests
- Transfer is necessary to protect someone's life, where they cannot give consent.
- Public register
- Transfer is from a register intended to provide information to the public.
Using exemptions correctly
Explicit consent is commonly misunderstood. It requires:
- Clear, specific information about the destination country and risks
- An affirmative action from the individual (not pre-ticked boxes)
- The individual must have genuine choice - consent isn't valid if they have no alternative
- Easy withdrawal of consent at any time
Contract necessity must be genuinely necessary, not just convenient. You cannot rely on this exemption if you could perform the contract without the transfer (e.g., using a UK-based provider instead).
Exemptions are not a general solution. They're designed for occasional, specific transfers - not for routine business operations like using overseas cloud services or sending employee data to a foreign head office.
Penalties for unlawful transfers
Transferring personal data outside the UK without appropriate safeguards is a serious breach of UK GDPR. It falls under the higher tier of penalties.
- Maximum fine
- Up to £17.5 million or 4% of annual worldwide turnover, whichever is higher
- Legislation
- UK GDPR Article 83(5), Articles 44-49
- Enforcement
- The ICO can also issue enforcement notices requiring you to stop the transfer and bring processing into compliance
Practical compliance checklist
-
Map your international data flows
Identify all transfers outside the UK - including cloud services, subsidiaries, third-party processors, and business partners. Many businesses underestimate how many international transfers they make.
-
Check adequacy status for each destination
Verify whether the destination country has a current UK adequacy decision. If yes, no further safeguards needed. If no, proceed to select a transfer mechanism.
-
Put appropriate safeguards in place
For non-adequate countries, implement SCCs, the UK IDTA, or UK Addendum. Ensure contracts are properly signed by both parties.
-
Conduct Transfer Risk Assessments
Assess each transfer to determine if safeguards will be effective. Document your analysis and any supplementary measures needed.
-
Update your privacy notice
Inform individuals about international transfers - which countries, what safeguards you use, and how they can obtain copies of transfer documents if requested.
-
Include transfer provisions in contracts
When engaging new processors or partners abroad, ensure data transfer terms are addressed from the start. Don't start transferring data before contracts are signed.
-
Review regularly
Monitor for changes to adequacy decisions, new ICO guidance, or changes in destination country laws. Update your TRAs accordingly.