The law restricts how your personal data can be transferred outside the European Union. It does this to prevent organisations circumventing the GDPR by using the data in a country where the law does not apply.
- you have given your informed consent (i.e. it has told you of its intention, and you have agreed)
- transfer is necessary to protect your vital interests or those of someone else, where you are physically or legally incapable of giving your consent
- transfer is necessary for the organisation to carry out a legal contract with you, or one in your interests
- it is necessary to establish, carry out or defend a legal claim
- transfer is necessary for reasons of public interest
- transfer is made by an organisation which under UK or EU law is intended to provide information to the public
- the EU Commission has vetted the country, territory or area as having an adequate level of data protection
- the organisation receiving the data has adequate safeguards
Transfers are also possible where:
- the organisation is not a public authority exercising its public powers
- they are not repetitive
- the data relates to a limited, small number of individuals
- they are necessary in the legitimate interests of the organisation and are not overridden by your interests
- safeguards are in place to protect your personal data
In these situations, an organisation must tell you and the supervisory authority about the transfer.