GDPR Transfer Limitation


The GDPR restricts Data transfers to countries outside the EEA (‘third countries’) in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined.

EEA countries include all EU countries and Iceland, Liechtenstein and Norway.  

When the UK leaves the EU it will become a third country.

You transfer Personal Data originating in one country across borders when you transmit, send, view or access that Data in or to a different country.

You may only transfer Personal Data outside the EEA if one of the following conditions applies:

EU Commission Adequacy Decision

The European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms.

At the time of writing (2018) the following countries’ data protection regimes are deemed adequate: 

  • New Zealand
  • Switzerland
  • Andora
  • Argentina
  • Canada (for commercial organisations only)
  • Faroe Islands
  • Gurnsey
  • Isle of Man
  • Isreal
  • Jersey
  • Uraguay

Binding Corporate Rules (BCR)

Appropriate safeguards are in place in the form of binding corporate rules (BCR).

These are a business specific framework that allows intra-organisational cross border transfers.  They must be submitted to the ICO and receive her approval before being used.  A checklist of documents that must be submitted is linked here

Standard Contractual Clauses

Appropriate safeguards are in place in the form of standard contractual clauses approved by the European Commission.

The European Commission’s existing standard clauses do not fully comply with the GDPR’s provisions, nevertheless these clauses can be used until such time as the Commission approves new standard contractual clauses.  

There must also be a contract in place between the controller and processor that meets the requirements of article 28 (3) GDPR (i.e. standard processor contractual provisions).

A referral is currently underway from the Irish High Court to the European Court of Justice that may invalidate this method of transferring personal data to a third country so data controllers who use this method should be aware that changes to their practices may become necessary.

Approved Code of Conduct and Certification Mechanisms

An approved code of conduct or a certification mechanism provides data protection, and a copy of this must be available from the data controller.

At the time of writing (2018) no approved codes or certification mechanisms are in place other than the EU-USA Privacy Shield.


The Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks.

Consent must be ‘explicit’ (i.e. made by clear affirmative action).

Controllers must inform data subjects that their data will be transferred to a third country that does not provide adequate levels of protection before obtaining consent.  

They must also detail the potential risks involved, which should include details of the legal rights that will not be available in the third country because of the transfer.

Necessary for other reasons set out in GDPR

The transfer is necessary for one of the other reasons set out in the GDPR including:

  • the performance of a contract between the Data Controller and the Data Subject (note ‘necessary’ does not include where the controller has decided to locate its data processing activities in the third country)
  • the performance of a contract between the Data Controller and a Third Party that is concluded in the interest of the data subject (excluding public authorities exercising their public powers) (note the transfer must not be ‘occasional’ and ‘necessary’ and not ‘repetitive and ongoing’).
  • reasons of public interest,
  • to establish, exercise or defend legal claims or
  • to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and,
  • (in some very limited cases and as an ultimate last resort) for the Data Controller’s legitimate interest.