Global Data and Cyber Handbook

United Kingdom

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: 20 January 2025

Yes.

Third country is defined in Article 4(27) of the UK GDPR as a country or territory outside the United Kingdom.

Transfers of personal data to third countries are permissible only, if there is a legal basis for the processing/transfer and one of the following applies:

☒        approved adequate/whitelisted jurisdictions
☒        to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority
☒        approved standard contractual clauses
☒        binding corporate rules
☒        derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
☒        other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

Ad-hoc contracts approved by the data protection authority.

For the purposes of the UK GDPR, the EEA and all jurisdictions subject to an adequacy decision issued by the European Commission before the end of the Brexit transition period are recognized as adequate. This means that personal data can be transferred from the UK to those jurisdictions without the need for additional steps, such as standard contractual clauses. The UK government has the power to review the adequacy of all such jurisdictions and make its own adequacy regulations (including for additional jurisdictions) under the UK GDPR in the future.

On 28 June 2021 the European Commission adopted two adequacy decisions for the UK, under the GDPR and the Law Enforcement Directive, which means that personal data can be transferred from the EU to the UK without the need for additional steps such as the EU Standard Contractual Clauses.

The international data transfer agreement ("IDTA") and UK addendum to the new EU Standard Contractual Clauses ("UK Addendum") were approved by Parliament and came into force on 21 March 2022. For contracts that incorporate the EU standard contractual clauses approved by the European Commission under the Data Protection Directive, if such contracts have been entered into before 21 September 2022, they remain valid for the purposes of the UK GDPR until 21 March 2024, provided the processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards. Therefore, either the IDTA or UK Addendum must be used from 21 September 2022 onwards if using standard contractual clauses to address transfers of personal data from the UK to third countries. In addition, any existing agreements entered into before 21 September 2022 based on the EU standard contractual clauses under the Data Protection Directive will need to be replaced by 21 March 2024.