Transferring your data outside the EU

The law restricts how your personal data can be transferred outside the European Union. It does this to prevent organisations circumventing the GDPR by using the data in a country where the law does not apply.

• you have given your informed consent (i.e. it has told you of its intention, and you have agreed)
• transfer is necessary to protect your vital interests or those of someone else, where you are physically or legally incapable of giving your consent
• transfer is necessary for the organisation to carry out a legal contract with you, or one in your interests
• it is necessary to establish, carry out or defend a legal claim
• transfer is necessary for reasons of public interest
• transfer is made by an organisation which under UK or EU law is intended to provide information to the public
• the EU Commission has vetted the country, territory or area as having an adequate level of data protection
• the organisation receiving the data has adequate safeguards

Transfers are also possible where:

• the organisation is not a public authority exercising its public powers
• they are not repetitive
• the data relates to a limited, small number of individuals
• they are necessary in the legitimate interests of the organisation and are not overridden by your interests
• safeguards are in place to protect your personal data

In these situations, an organisation must tell you and the supervisory authority about the transfer.