What restrictions does the UK GDPR place on employers transferring employee data outside the European Economic Area?

An employer can transfer personal data outside the European Economic Area (EEA), for example to a benefits provider or to its servers based outside the EEA, only if the conditions set out in the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) are met.

The UK GDPR allows data transfers to a country, a territory or sector within a country, or an international organisation, where the transfer is based on adequacy regulations (where the UK has concluded that an adequate data protection regime is in place). Adequacy regulations apply to the European Economic Area (EEA) countries and countries outside the EEA that are covered by adequacy decisions from the European Commission.

If there are no adequacy regulations, the employer can transfer data outside the EEA if the recipient has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects (ie the employees) are available. The UK GDPR allows for these safeguards to be provided through:

  • a legally binding agreement between public authorities or bodies;
  • binding corporate rules (covering transfers within a group of undertakings);
  • standard contractual clauses in the form of template transfer clauses adopted by the European Commission, or adopted by a supervisory authority (ie the Information Commissioner's Office (ICO) in the UK) and approved by the European Commission;
  • compliance with a code of conduct approved by a supervisory authority;
  • an approved certification mechanism as provided for under the UK GDPR; or
  • contractual clauses between the relevant parties, or provisions in administrative arrangements between public authorities or bodies, authorised by the relevant supervisory authority.

The European Commission has adopted adequacy decisions for the UK, allowing for the transfer of personal data into the UK from the EEA without additional safeguards.