International Transfers of Personal Data

Key Points

  • This card represents the law pre-GDPR implementation and is being updated but for up-to-date information please see our summary GDPR card here
  • Under the Data Protection Act 1998 (the “DPA”), data controllers should not transfer personal data outside of the European Economic Area unless the country to which the data is transferred offers an adequate level of protection (the eighth data protection principle)
  • The European Commission has approved a number of countries as offering an adequate level of protection
  • The European Commission and Information Commissioner have approved model contract clauses that, if included in a contract between the data controller and the overseas recipient, equate to adequate protection
  • If the transfer of data is within the data controller’s corporate group, it is possible to comply with the eighth data protection principle by putting in place binding corporate rules that are approved by the Information Commissioner and any other relevant European data protection regulators
  • There are exemptions to the prohibition on international transfer of data in Schedule 4 of the DPA, including where the data subject has consented



The full content of this page is available to subscribers only. Please purchase a subscription if you feel this content will be of use to you.


Login or subscribe (includes subscription information) to access the full content of this page.