Skip to main content

International Data Transfers

The GDPR imposes restrictions on the transfer of personal data outside the EEA. Currently the EEA countries are:

Austria Belgium Bulgaria Czech Republic
Cyprus Denmark Estonia Finland
France Germany Greece Hungary
Iceland Ireland Italy Latvia
Liechtenstein Lithuania Luxembourg Malta
Netherlands Norway Poland Portugal
Romania Slovakia Slovenia Spain
Sweden UK    

Personal data may only be transferred outside the EEA in compliance with the following circumstances:

Adequacy decision by the Commission

Data transfers outside the EEA may be made where the European Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. Currently, the following countries are considered as having adequate protection:


Andorra Argentina Canada* Faroe Islands
Guernsey Israel Isle of Man Jersey
New Zealand Switzerland Uruguay  

* (Commercial organisations only):

Transfers subject to appropriate safeguards

Organisations are able to transfer personal data where the organisation receiving the personal data has provided adequate safeguards including, but not limited to:

  • binding corporate rules; or
  • standard data protection clauses in the form of template transfer clauses adopted by the Commission.
Derogations from the prohibition of transfers outside the EEA

The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.

The University’s DPO and Information and Data Compliance Team should be consulted before any International Data Transfers occur.