International transfers

This subtopic discusses the international transfer of personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR).

This Overview provides a high-level introduction to the subtopic and signposts more detailed guidance housed within it.

For an introduction to the UK GDPR, including the data protection principles, terminology, territorial scope and applicability, see Practice Note: The UK General Data Protection Regulation (UK GDPR).

Further guidance on equivalent laws under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR) is available in our EU Law practice area, see: International transfers (EU Law)—overview.

The Chapter V restrictions

Article 44 of the UK GDPR prohibits controllers and processors subject to the UK GDPR from transferring personal data to any country or territory outside the UK or to an ‘international organisation’ unless the conditions laid out in Chapter V (Transfers of personal data to third countries or international organisations) of the UK GDPR are complied with.

An international organisation under the UK GDPR means any organisation (and its subordinate bodies) governed by public international law or any other body which is

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

ICO launches strategy to regulate AI and biometrics

The Information Commissioner’s Office (ICO) has launched a strategy to intensify regulatory oversight of AI and biometric technologies, focusing on ensuring responsible use of personal data. The strategy will scrutinise the use of automated decision-making systems in recruitment, facial recognition technology by police, and the use of personal data in training generative AI models. It also includes developing a statutory code of practice for responsible AI and examining emerging risks such as agentic AI. The ICO aims to support innovation while reinforcing public trust, and plans to consult on updated guidance and produce a horizon scanning report over the coming year.

UK Data (Use and Access) Bill facing collapse risk over Parliament’s AI copyright challenge

MLex: The UK’s Data (Use and Access) Bill faces increasing risk of collapse after the House of Lords again pushed forward an amendment to include in it protections for rights holders over their works being scraped for AI training. The House of Lords lawmaker who brought the amendment, which calls on the government to bring dedicated draft legislation on the issue, said their intent was not to kill the Bill but to push the government to respond by proposing its own amendment.

EDPB adopts final guidelines on third country authority data transfer requests

The European Data Protection Board (EDPB) has adopted final guidelines clarifying the application of Article 48 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) regarding data transfers to non-European authorities. The guidelines establish that third country authority decisions require international agreements for automatic recognition in Europe. Where no such agreements exist, alternative legal bases may be considered in exceptional circumstances. The guidelines include new provisions addressing processor-specific scenarios and parent-subsidiary data transfer requests where the parent company is located in a third country.

EDPB adopts final guidelines on GDPR third country data transfer rules

The European Data Protection Board (EDPB) has adopted final guidelines clarifying Article 48 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) regarding data transfers to third country authorities. The guidelines establish that judgements from non-European authorities cannot automatically be enforced in Europe, requiring either an international agreement providing legal basis and transfer grounds, or consideration of alternative legal bases in exceptional circumstances. The updated guidelines include new clarifications on processor obligations and parent company-subsidiary data transfer scenarios. The EDPB has also launched two Support Pool of Experts training initiatives addressing artificial intelligence compliance and data protection requirements.

View Information Law by content type :

News