Transfer Limitation
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
On 28 June 2021, the EU Commission published an adequacy decision in respect of the UK for transfers under the EU GDPR. This enables cross border data transfer within the EEA by the UK.
You may only transfer Personal Data outside the EEA if one of the following conditions applies:
- The European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects' rights and freedoms.
- Appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO.
- The Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks.
- The transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
You must comply with the Council's guidelines on cross border data transfers.