First, we will carefully consider whether we really need to transfer personal information to a country or territory outside the UK or the EEA. If we can avoid it, we will.

Second, in line with our Promise 3 - Transparency, we will do our best to tell individuals if we transfer any personal information to a country or territory outside the UK or the EEA.

Third, (and in any event) we will always ensure that the recipient of personal information located in a country or territory outside the UK or the EEA is legally bound to process all personal information in line with UK or European data protection laws (i.e in line with the GDPR).

If we do decide to send personal information of UK or EEA residents to an organisation outside the UK or the EEA, we will only do so in one of the two circumstances below:

A. Approved countries

If the organisation is based in an "Approved Country" ie the UK or the European Commission (whichever is applicable to the transfer) has determined that the country provides an adequate level of data protection, either because of the data protection laws in force in that country or because of the international commitments entered into by that country. A current list of “Approved Countries” is available from the European Commission website. Note that Canada, Japan and Israel are Approved Countries. Companies in the USA which are signed up to an approved scheme can also safely receive personal information.

The UK recognises those countries that the European Commission had deemed adequate (as of 31 December 2020) as safe countries to transfer UK residents' personal information. The ICO's website has a list of countries covered by the UK adequacy regulations.

The UK and the EEA recognise each other as 'adequate' so personal information can be transferred freely in both directions between them.

or

B. Standard Contractual Clauses

Transfers of personal information out of the UK

If we are an organisation transferring personal information out of the UK, we need to use one of the following agreements/combination of agreements:

the European Commission's Standard Contractual Clauses plus the ICO's international data transfer addendum to them (UK Addendum); or

the ICO’s International Data Transfer Agreement (IDTA).

Transfers of personal information out of the EEA

If we are an organisation transferring personal information out of the EEA, we need to use the European Commission's Standard Contractual Clauses which cover the following transfers of personal information:

controller to controller;

controller to processor;

processor to processor; and

processor to controller.

How we use these agreements

We understand that other than completing the missing details, where indicated, we cannot amend any of these agreements because they are only approved by the regulators in their original form. If we use them like this, we do not need further authorisation from the regulator.

Note:
In exceptional circumstances we may transfer personal information outside the UK or the EEA by relying on an individual’s explicit consent but only if they have been told of the possible risks.

The most common alternative to the Standard Contractual Clauses is the use of Binding Corporate Rules which enable the transfer of personal information from companies in the UK or the EEA to group companies outside the UK or the EEA (as the case may be). This alternative takes a considerable amount of time to implement and requires approval from a supervisory authority.