What restrictions does the UK GDPR place on employers transferring employee data outside the European Economic Area?

An employer can transfer personal data outside the European Economic Area (EEA), for example to a benefits provider or to its servers based outside the EEA, only if the conditions set out in the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) are met. The UK GDPR allows data transfers to a country, a territory or sector within a country, or an international organisation, that has been certified by the European Commission as having an adequate level of data protection in place. The UK Government has stated that it will continue to recognise existing European Commission adequacy decisions after the end of the Brexit transition period. It will also be able to make its own adequacy decisions, confirming that a particular country, territory or sector within a country, or international organisation has an adequate data protection regime.

If there is no adequacy decision, the employer can transfer data outside the EEA if the recipient has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects (ie the employees) are available. The UK GDPR allows for these safeguards to be provided through:

  • a legally binding agreement between public authorities or bodies;
  • binding corporate rules (covering transfers within a group of undertakings);
  • standard contractual clauses in the form of template transfer clauses adopted by the European Commission, or adopted by a supervisory authority (ie the Information Commissioner's Office (ICO) in the UK) and approved by the European Commission;
  • compliance with a code of conduct approved by a supervisory authority;
  • an approved certification mechanism as provided for under the UK GDPR; or
  • contractual clauses between the relevant parties, or provisions in administrative arrangements between public authorities or bodies, authorised by the relevant supervisory authority.

From 1 January 2021, the trade agreement between the UK and EU provides that, for a period of up to six months and pending a European Commission adequacy decision being adopted, the transfer of personal data into the UK will not be considered a transfer into a third country under EU law. This allows for the temporary continued free-flow of data from the EEA to the UK.