Yes, the UK General Data Protection Regulation ("UK GDPR") prohibits UK established processors or controllers from transferring personal data outside the UK, unless adequate safeguards are in place or derogations under the UK GDPR apply. All relevant legal requirements and standards apply to third-party ICT arrangements including but not necessarily limited to the UK GDPR and the UK Data Protection Act 2018.

For example, transfers of personal data to jurisdictions that are deemed as "adequate" for the purposes of the UK GDPR are permissible. These include transfers of personal data from the UK to the EU, for example.

If the transfer of personal data from the UK is to a jurisdiction that is not deemed to be "adequate" for the purposes of the UK GDPR, additional steps may be required such as entering into standard contractual clauses and conducting an assessment of the laws and practices of that third jurisdiction in relation to whether those laws/practices would impinge on the effectiveness of the standard contractual clauses. There are two mechanisms for transferring personal data from the UK under the UK GDPR: (a) a UK international data transfer agreement; and (b) a UK addendum to the new EU standard contractual clauses. The international data transfer agreement and UK addendum to the new EU standard contractual clauses came into force on 21 March 2022. For agreements entered into before 21 September 2022 on the basis of the previous EU standard contractual clauses approved under the previous EU Data Protection Directive, these remain valid until 21 March 2024, if the processing operations and the subject matter of the contract remain unchanged and reliance on those standard contractual clauses ensures that the transfer of personal data is subject to appropriate safeguards.