UK GDPR and international transfers of personal data

One area of UK GDPR that we frequently find ourselves advising on is where personal data (which is information that relates to an identifiable individual), is transferred outside the UK to a separate organisation (and that includes companies within the same group of companies, where they are legally distinct). These transfers of personal data are known as 'restricted transfers'.?

In some cases,?where the personal data is being transferred within the EU, or to where a country has an ‘adequacy decision’ in place, this is relatively straightforward.? However, where transfers are to a ‘third country’ (for example the US), this is where difficulties can arise as here are specific rules in place by virtue of the UK GDPR that need to be complied with.?

Before carrying out a restricted transfer to a third country, there are certain steps that will need to be taken, including carrying out a ‘transfer risk assessment’ to ensure that the relevant protections under the UK data protection regime will not be undermined, and if required, ensuring that one of the ‘appropriate safeguards’ referred to in the UK GDPR, such as the International Data Transfer Agreement (IDTA) or Binding Corporate Rules are in place. There are other options available, and which of these is the most appropriate will need to be considered in each case.???

In 2023, Ireland's Data Protection Commission found Meta to be in violation of GDPR international transfer guidelines. The record-breaking fine of €1.2bn was issued to Facebook's parent company after it mishandled personal data when transferring it between Europe and the United States.??

We appreciate that for many businesses, knowing how to navigate this complex area can be daunting. Many do not know where to start, or do not know how and when data can be transferred internationally, or which documents are required to be in place.?

Our team of data protection experts can assist with this by providing advice and support to businesses which are transferring data across international borders.? This may be in the following ways:?

• Assessing whether any data is being transferred internationally.?

• Advising if this transfer will amount to a “restricted transfer” under Article 46 of the UK GDPR.?

• If the transfer amounts to a restricted transfer, advising in relation to the safeguards that will need to be put in place.?

• Advising in relation to transfer risk assessments.?

• Assisting with the relevant policies and procedures.?

For a no-obligation conversation about data protection and how we might help, contact Prettys’ dedicated Data Protection and Privacy Team on [email protected] or 01473 232121.?