GDPR data transfer rules: what you need to know

Data protection law in the UK has changed as a result of Brexit. You can find the latest guidance here.

If you’re transferring data outside of the EEA, the GDPR (General Data Protection Regulation) imposes some restrictions.

These apply to all data transfers, no matter the size of the transfer or how often you carry them out.

So how do you make a restricted transfer in accordance with the GDPR? We explain in this post.

How do I know if I’m making a restricted transfer?

Transfers of personal data are defined as restricted if:

1) The GDPR applies to your processing of the personal data you are transferring.

For guidance on what constitutes personal data, see: GDPR: How the definition of personal data has changed.

2) You are sending personal data (or making it accessible) to a receiver to which the GDPR does not apply. This usually applies to recipients located in a country outside the EEA.

3) The receiver is a separate organisation or individual. This includes transfers to another company within the same corporate group.

How to make a restricted transfer in accordance with the GDPR

To comply with the GDPR, you must consider the following factors:

1) Is the restricted transfer covered by an ‘adequacy decision’?

If you are making a restricted transfer, you need to know whether it is covered by an EU Commission “adequacy decision”.

The ICO describes the ‘adequacy decision’ as:

…a finding by the Commission that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data.

2) Is the restricted transfer covered by appropriate safeguards?

If there is no ‘adequacy decision’ for your restricted transfer, you need to find out whether you can make the transfer subject to ‘appropriate safeguards’ listed in the GDPR.

These ‘appropriate safeguards’ are:

  • A legally binding and enforceable instrument between public authorities or bodies.
  • Binding corporate rules.
  • Standard data protection clauses adopted by the Commission.
  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission.
  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA.
  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA.
  • Contractual clauses authorised by a supervisory authority.
  • Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority.

3) Is the restricted transfer covered by an exception?

If you are making a restricted transfer that isn’t covered by an ‘adequacy decision’ or the appropriate safeguards listed above, you can only the transfer if it is covered by one of the eight  ‘exceptions’ set out in Article 49 of the GDPR.

These exceptions are:

Exception 1: The individual has given his or her explicit consent to the restricted transfer.

Exception 2. You have a contract with the individual and the restricted transfer necessary for you to perform that contract.


You are about to enter into a contract with the individual, and the restricted transfer necessary for you to take steps requested by the individual to enter into that contract.

Exception 3: You have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred, and that transfer necessary for you to either enter into that contract or perform that contract.

Exception 4: You need to make the restricted transfer for important reasons of public interest.

Exception 5: You need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim.

Exception 6: You need to make the restricted transfer to protect the vital interests of an individual. He or she must be physically or legally incapable of giving consent.

Exception 7: You are making the restricted transfer from a public register.

Exception 8: you are making a one-off restricted transfer, and it is in your compelling legitimate interests.

What about Brexit?

Following Brexit, the UK granted an adequacy decision to the EU, enabling organisations to transfer data freely into the EU. And in June 2021, the EU responded in kind, granting an adequacy decision to the UK.

These decisions means that organisations can transfer personal data into and out of both regions without any additional safeguards, such as SCCs (standard contractual clauses) and BCRs (binding corporate rules).

However, the data protection requirements stipulated in the GDPR must still be adhered to when making data transfers.Find out more

Pseudonymisation and encryption

The GDPR advises organisations to pseudonymise and/or encrypt all personal data.

This won’t stop malicious actors accessing the information altogether, but it will make it much harder for them.

Pseudonymisation masks data by replacing identifying information with artificial identifiers.

Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Encryption also obscures information by replacing identifiers with something else.

But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately, and although neither requires technical knowledge to implement, the difficulty for organisations is in putting in place suitable security policies and procedures and making staff aware of their obligations.

What about the Schrems II ruling?

In July 2020, the ECJ (European Court of Justice) declared that the EU–US Privacy Shield – which organisations had used to make transatlantic personal data transfers – was no longer valid.

The decision came in the wake of complaints from the Austrian privacy activist Max Schrems, who argued that the US government’s mass surveillance practices contradict the protections that the Privacy Shield was supposed to provide.

The 5,000 or so organisations that currently use the framework will now have to rely on SCCs (standard contractual clauses), which are legal contracts that outline the terms and conditions for data transfers.

Schrems also challenged the validity of these, and although the ECJ chose not to abolish them, it did restrict their applicability.

Organisations and regulators must conduct case-by-case analyses of SCCs to determine whether protections concerning government access to data meet EU standards.

This will be a difficult task for all organisations, because to avoid a GDPR violation, you will need expert guidance.

If you don’t have someone in-house who can provide that advice, our EU–US GDPR Data Transfer Assessment and Action Plan will help.

Our team of experts will conduct a detailed review of your records of processing, process maps and data flow maps to identify the processes that need to be addressed.

They will then provide step-by-step advice to ensure that you’re able to conduct transatlantic data transfers efficiently and while also meeting your data protection requirements. 

Find out more

A version of this blog was originally published on 4 January 2018.