Personal data flows to and from the UK
This guidance explains the steps organisations should take when transferring the personal data of UK citizens outside of the UK. It helps to ensure you have the correct protections in place when transferring a person's data, both to the EU and to countries not covered by adequacy decisions.
Compliance with the UK GDPRYou should make sure you're familiar with the basic features of General Data Protection Regulation (GDPR) compliance and understand:
- the personal data you process
- where it comes from
- the supply chains you're a part of
- whether you're a controller, joint controller or processor in relation to that data
Personal data transfers from the UK to third countries – international data transfers
International data transfer agreement (IDTA)
You can use these when transferring personal data to countries not covered by an adequacy decision.
How could this affect you and your firm?
Organisations in the UK can now use the IDTA or Addendum as a transfer tool and safeguard to comply with article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replace the EU’s current SCCs for international transfers and take into account the European Court of Justice’s judgement in the Schrems II case.
Firms should note that existing arrangements for transfers using the old EU SCCs are still valid until 21 March 2024 provided that:
- the processing operations that are the subject matter of the contract remain unchanged, and
- the transfer of personal data is subject to appropriate safeguards
The outward flow of data from the UK to the EU/EEA remains unaffected.
This is because the UK government considers the EU 27 member states, and members of the EEA adequate for the purposes of data protection.
Other appropriate article 46 safeguards
Using the IDTA and IDTA Addendum are just one safeguard you can rely on when making a restricted transfer. Here are some others:
Multinational businesses can adopt binding corporate rules (BCRs) under article 47 GDPR.
BCRs allow organisations to transfer personal data within their group of undertakings or enterprises, from the UK to a third country.
The BCRs need to be approved by the Information Commissioner’s Office.
Organisations in the UK may wish to consider adopting, through their trade association or representative body, approved codes of conduct or certification mechanisms, together with enforceable and binding rules on the controller or processor.
Article 49 lists derogations for specific situations. These include:
- explicit consent
- fulfilling a contractual obligation
- public interest
- exercise or defence of legal claims or vital interests of the data subject
Although derogations are a valid transfer mechanism, the European Data Protection Board (EDPB) advises that the use of derogations be interpreted restrictively so that the exception does not become a rule.
Personal data flows between the EU/EEA and UK
Background: UK data adequacy decisions
On 28 June 2021, the European Commission (EC) adopted two UK data adequacy decisions.
These decisions mean that data flows between the EU and the UK can continue, and you do not need to adopt additional safeguards.
However, we advise that you regularly revise your contingency planning, as both decisions are valid for four years and subject to regular monitoring and review.
Transfers of personal data without an adequacy decision
Should the EU’s adequacy decisions be revised or withdrawn, anyone transferring personal data from the EU/EEA to the UK would do so on a third-country basis.
Firms would need to put in place one of the additional safeguards set out in article 46 of the GDPR. These include:
- binding corporate rules (BCRs)
- standard contractual clauses (SCCs)
- certification and codes of conduct
Also, article 49 of the GDPR lists derogations available to those wishing to transfer EU/EEA personal data to a third country.
To prepare for this possibility, processors in the UK should make sure they understand:
- their data supply chain, and
- whether and how they might be eligible to rely on a derogation in the absence of an appropriate safeguard
Steps you should take now
1. Check the guidance
You should consult all available guidance from relevant regulators, in particular the EDPB.
2. Be prepared to demonstrate compliance
You'll need to take appropriate actions to demonstrate your/your firm's efforts to comply with the relevant data protection regime.
You can do this by:
- devoting proportionate and reasonable resources to identifying risk associated with your international data transfers
- mitigating that risk with the appropriate mechanism (such as data subject consent, SCCs, BCRs, or certification and codes of conduct)
- supporting this with governance, internal controls and staff training
3. Review EU/EEA data flows
You should review your data flows from the EU/EEA.
- transfers of personal data from the EU/EEA to the UK
- onward transfers of that data from the UK to third countries
4. Consider local privacy laws
If you have an office in another EU country or process EU personal data, you should consider other aspects of local privacy laws in that country, as the GDPR allows for local variations (for example, in relation to processing special categories of data).
5. Nominate a lead supervisory authority
If you have offices in other EU states and have nominated the Information Commissioner's Office (ICO) as your lead supervisory authority (LSA) under the consistency mechanism (section 2 of chapter VII), you'll have to nominate another EU regulator as your LSA for EU personal data.
Your LSA should be chosen in accordance with GDPR requirements.
6. Appoint an EU representative
If you do not have an office in an EU member state, but intend to process EU personal data, you may need to appoint an EU representative and update your privacy notices to include their contact details.
7. Review privacy policies
You should review your privacy policies so that clients are informed of the movements of their personal data in and outside of the EU.
Review which of the safeguards set out in articles 46, 47 and 49 of the GDPR are best suited to the needs of your firm.
If your firm’s processing relied on consent obtained while the UK was a member of the EU, you should consider obtaining it again; it’s currently unclear whether UK businesses relying on consent in processing EU personal data will be able to continue to do so after the end of the bridging mechanism.
You should closely examine the consent language to see if it specifically covers the transfer of personal data obtained outside the EEA.
Bilateral agreements with EU member states
EU member states do not have the competence to unilaterally grant adequacy decisions to third countries.
The UK cannot form bilateral agreements with member states on the cross-border transfer of data, in areas governed by EU law, or in relation to databases governed by EU law.
Read European Data Protection Board (EDPB) guidance:
- guidelines 3/2018 on the territorial scope of the GDPR (article 3)
- recommendations on the European essential guarantees for surveillance measures
- recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
- information note on binding corporate rules with UK SA as lead authority
- guidelines on derogations of article 49 under Regulation 2016/679