Skip to main content

International Data Transfers

Please contact the Information and Data Compliance Team first before undertaking any International Data Transfers by completing the attached form and sending via email.

The GDPR imposes restrictions on the transfer of personal data outside the EEA. Currently the EEA countries are:

Austria Belgium Bulgaria Czech Republic
Cyprus Denmark Estonia Finland
France Germany Greece Hungary
Iceland Ireland Italy Latvia
Liechtenstein Lithuania Luxembourg Malta
Netherlands Norway Poland Portugal
Romania Slovakia Slovenia Spain
Sweden UK    

Personal data may only be transferred outside the EEA in compliance with the following circumstances:

Adequacy decision by the Commission

Data transfers outside the EEA may be made where the European Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. Currently, the following countries are considered as having adequate protection:


Andorra Argentina Canada * Faroe Islands
Guernsey Israel Isle of Man Jersey
New Zealand Switzerland Uruguay The US

* (Commercial organisations only)
†(limited to the Privacy Shield framework)

Third Countries

All countries which do not fall within the above lists are considered non-adequate countries for data protection purposes and are known as third countries.

Additional adequate safeguards

Organisations are able to transfer personal data to third countries where the organisation receiving the personal data has provided additional adequate safeguards which act as data protection guarantees. The safeguards must be outlined in a legally binding instrument, such as a contract or a Memorandum of Understanding, between the transferring and recipient parties. They should clearly describe the data protection principles that have to be respected, in particular:

  • data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer;
  • data quality and proportionality;
  • information of individuals concerned;
  • security measures;
  • possibility for the individuals involved to exercise their rights of access, rectification and opposition;
  • restrictions on onward transfers by the data recipient; and
  • effective supervision and enforcement mechanisms to ensure that the above-mentioned principles are respected.
Information to be provided to the data subject

A description of the details of the transfer, such as the categories of data, purposes, retention periods, detailed security measures, should be provided to the individuals (data subjects) concerned and explain how they can exercise their rights.

Derogations from the prohibition of transfers outside the EEA

The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.

Procedure

As noted above the University’s DPO and Information and Data Compliance Team should be consulted before any International Data Transfers occur by completing the attached form for further advice and email to GDPR@warwick.ac.uk.

International Data Transfer Form