International transfers

This subtopic is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.

The data protection regime on international transfers

All transfers of personal data are subject to the general requirements of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), eg you must:

•
have a lawful ground for processing that personal data—see Practice Note: How to process personal data lawfully
•
provide certain information to data subjects—see Practice Note: Privacy notices—information requirements, and
•
(where the transfer poses a high risk) complete a data protection impact assessment—see Practice Note: How to complete a data protection impact assessment—DPIA

Where you transfer the personal data internationally (outside the UK), you must also satisfy and comply with requirements in Chapter V of the UK GDPR (Transfers of personal data to third countries or international organisations).

To comply with these requirements, you should consider:

•
is the transfer caught by the data protection

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

FATF announces new mutual evaluation framework to strengthen global illicit finance defences

The Financial Action Task Force (FATF) has convened its annual high-level meeting with the nine FATF-Style Regional Bodies (FSRBs) in Strasbourg, announcing the implementation of new mutual evaluations. The Global Network, comprising the FATF and nine FSRBs, representing over 200 jurisdictions, remains committed to combating illicit finance through a unified set of standards and mutual evaluations. The meeting focused on implementing Global Network priorities, particularly preparing members for the upcoming mutual evaluations, which will prioritise effectiveness in tackling money laundering, terrorist financing and proliferation risks. All FSRBs aim to complete their first evaluations by late 2026 or early 2027. Additionally, significant emphasis was placed on fostering peer learning, experience sharing and strengthened cohesion within the Global Network, a key priority under the Mexican Presidency.

DSIT welcomes DUA Bill becoming Act of Parliament as DUAA

The Department for Science, Innovation and Technology (DSIT) has welcomed the Data (Use and Access) Bill (DUA Bill) receiving Royal Assent on 19 June 2025 and becoming law as the Data (Use and Access) Act 2025 (DUAA). DSIT notes that key measures include enabling real-time sharing of healthcare data across NHS services, saving 140,000 hours of admin annually and improving patient care, and the simplification of digital identity verification through certified tools, aiding tasks like renting or job application. The DUAA also introduces legislation to support investigations into child deaths linked to social media by preserving relevant data. Additionally, DSIT underlines that as mandated by the DUAA, a new Information Commission will replace the ICO, with a recruitment drive underway for its board to ensure diverse expertise.

ICO publishes guidance documents and work plan for Data (Use and Access) Act 2025

The Information Commissioner's Office has published several guidance documents and a working plan following the Data (Use and Access) Bill receiving royal assent on 19 June 2025 and becoming an Act of Parliament as the Data (Use and Access) Act 2025 (DUAA). The ICO notes that the main changes to the law include clarifying how personal information can be used for research, lifting restrictions on some automated decision making, setting out how to use some cookies without consent, allowing charities to send people electronic mail marketing without consent in certain circumstances and requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests. The ICO also underlines that the DUAA provides it with new powers including the ability to compel witnesses to attend interviews, request technical reports, and issue higher fines.

Data (Use and Access) Bill receives Royal Assent on 19 June 2025

The Data (Use and Access) Bill (DUA) received Royal Assent and became an Act of Parliament on Thursday 19 June 2025. This followed its parliamentary review being finalised on 11 June 2025 and marked the culmination of nearly eight months of parliamentary procedure. Under section 139 of the DUA, most provisions will come into force as and when the Secretary of State appoints regulations. However, a limited number of provisions came into force upon Royal Assent. This included section 78, which relates to reasonable and proportionate searches for data subject access requests. It also included sections 126–128 on the retention of biometric data, and schedule 16 on the grant of energy smart meter communication licences.

View Practice Compliance by content type :

News