International transfers

This subtopic is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.

The data protection regime on international transfers

All transfers of personal data are subject to the general requirements of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), eg you must:

  1. have a lawful ground for processing that personal data—see Practice Note: How to process personal data lawfully

  2. provide certain information to data subjects—see Practice Note: Privacy notices—information requirements, and

  3. (where the transfer poses a high risk) complete a data protection impact assessment—see Practice Note: How to complete a data protection impact assessment—DPIA

Where you transfer the personal data internationally (outside the UK), you must also satisfy and comply with requirements in Chapter V of the UK GDPR (Transfers of personal data to third countries or international organisations).

To comply with these requirements, you should consider:

  1. is the transfer caught by the data protection

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Practice Compliance News
View Practice Compliance by content type :

Popular documents