International data transfers—practical compliance
International data transfers—practical compliance

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • International data transfers—practical compliance
  • The data protection regime on international transfers
  • Is the transfer caught by the data protection regime on international transfers?
  • What transfers are restricted?
  • ICO practical examples
  • Is there an alternative?
  • Two-stage approach
  • Lawful grounds for processing
  • Valid mechanisms for international data transfers
  • Is the transfer covered by an adequacy decision?
  • More...

This Practice Note is intended for in-house lawyers, privacy and compliance professionals in private sector commercial organisations in the UK. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt. For more detailed guidance on the law relating to international transfers, see Practice Note: UK GDPR and EU GDPR—transfers of personal data internationally and to international organisations. This Practice Note is not intended for public sector organisations.

See also Precedents: Transfer impact assessment—personal data and International personal data transfer—data recipient questionnaire.

This Practice Note reflects the UK GDPR and:

  1. Information Commissioner’s Office (ICO) guidance on International transfers after the UK exit from the EU Implementation Period

  2. European Data Protection Board (EDPB) Guidelines on Article 49 of the GDPR

  3. the decision in Facebook Ireland and Schrems, Case C-311/18—this case relates to the EU GDPR, but it is assumed that the same principles apply to the UK GDPR

  4. EDPB FAQs on the judgment in Schrems II

  5. EDPB Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

  6. EDPB Recommendations on the European Essential Guarantees for surveillance measures

  7. the EU-UK Trade and Cooperation Agreement, Article SERVIN 5.13 and Annex SERVIN-6

The EDPB Recommendations apply to the EU GDPR transfer regime (as opposed to the

Popular documents