The country the data is being transferred to has been approved as having an ‘adequate level of protection’ for personal data. Adequate countries include: New Zealand, Argentina, Israel, Japan (transfers to certain private sector organisations only) and Canada (transfers to certain private sector organisations only).

The European Commission determines which countries offer an adequate level of protection under EU GDPR. The UK has imported this list into UK GDPR and in future the UK government will make these decisions for the UK. One such UK decision has been the granting of adequacy to all EEA member states. This means personal data can be transferred from the UK to an EEA member state without the need for any additional safeguards.

During the bridging period, whilst the UK is awaiting an EU decision on whether to grant the UK adequacy for the purposes of transfers from the EEA to the UK, transfers can continue as they did during the transition period. If adequacy is granted transfers from the EEA to the UK will be able to continue the same terms as at present.

A restricted transfer can take place to a country that is not on the adequacy list if the exporter and the importer have entered a contract incorporating standard data protection clauses adopted by the Commission. This is known as the ‘International Data Transfer Agreement (IDTA)’.The UoM contracts Office and the Procurement team have created model contracts which include the IDTA template. The IDTAs that will need to be used will be dependent on the nature of the personal data you are processing and who the data subjects are. For example, if you are specifically targeting an online service to EU/EEA citizens based in the EEA you will need to comply with EU GDPR and the UK GDPR.

In certain circumstances a more ad-hoc transfer of personal data can take place to a country not on the adequate list if one of the derogations (exemptions) applies. There are exceptions for when a transfer is necessary for a contract, when it is in the vital interests of an individual or where there is explicit consent. You should seek advice from the Information Governance Office, Contracts Office, or Procurement, before seeking to rely on any of the derogations. 

Some companies may rely on an internal code of conduct (Binding Corporate Rules) operating within a multinational group, which applies to restricted transfers of personal data from the group's EEA entities to non-EEA group entities. This may be a corporate group, or a group of undertakings or enterprises engaged in a joint economic activity, such as franchises or joint ventures. These must be approved by a regulator such the UK Information Commissioner before they can be used. If these are in place the company, you are seeking to transfer data to will indicate this in their terms and conditions or a contract.