Data Protection Policy - Transfer Outside the EEA

The eighth Data Protection Principle requires that personal data must not be transferred outside the European Economic Area unless the country or territory to which the data are to be transferred provides an adequate level of protection for personal data.

The European Commission has recognised a number of non-EEA countries which it deems to provide an adequate level of protection for personal data. Transfer of data to these countries will not violate the eighth Data Protection Principle. Similarly, the eighth Data Protection Principle will not be violated if transfer occurs in the following circumstances:

  • The data is transferred to a company in the United States which has signed up to the 'Safe Harbour' agreement (a set of rules similar to those found in the UK's data protection law).
  • The transfer is made under a contract which includes the model clauses adopted by the European Commission to ensure that there will be adequate safeguards for data transferred to a source outside the EEA.

Further information about the EC's list of approved countries, the 'Safe Harbour' agreement and the EC's model contractual clauses is available on the website of the Information Commissioner.

The Data Protection Act also contains a number of exemptions to the eighth Data Protection Principle. The transfer of personal data outside the EEA is permitted (regardless of the country to which the data are transferred or the receiving organisation), where at least one of the following applies:

  • The data subject has given his/her consent to the transfer.
  • The transfer is necessary for the performance of a contract between the data controller and the data subject; or a contract between the data controller and a third party which has been entered into at the request of the data subject, or is in the interests of the data subject.
  • The transfer is necessary for legal proceedings or defending legal rights.
  • The transfer is necessary for reasons of substantial public interest.
  • The transfer is necessary to protect the vital interests of the data subject.
  • The transfer is part of the personal data on a public register.

For further guidance or advice in relation to transferring personal data outside the EEA, please contact the Information Compliance Officer (FOI/DP).