The UK’s General Data Protection Regulation (GDPR) regime imposes restrictions on the transfer of personal data outside the UK. In January 2026, the UK’s data protection regulator, the ICO, published long-awaited updates to its guidance on those rules along with an interactive tool.
Although similar to rules on international transfers under the EU GDPR, the UK approach now shows important areas of divergence and the guidance is essential reading for all businesses processing personal data covered by the UK GDPR.
This blog summarises when the ICO considers the transfer rules to apply.
In summary:
- The ICO’s position on restricted transfers is often less onerous than the equivalent position taken in EU-level guidance, and may be welcomed by businesses – particularly those subject only to the UK GDPR – as an attempt to lighten their regulatory burden.
- The ICO’s divergent approach from equivalent transfer rules under the EU GDPR may cause additional compliance complexity for businesses that are subject to both the UK and EU GDPR.
- The ICO’s position can produce some seemingly counter‑intuitive outcomes, emphasising why international transfers remain one of the most challenging areas for data protection compliance.
The second blog in this series will explore how to ensure restricted transfers are carried out lawfully.
Related UK and EU rules restrict personal data transfers to international organisations governed by public international law or established between countries. Those are unlikely to be relevant in a commercial context, and are beyond the scope of this blog series.
Restricted transfers
Under the updated ICO guidance, the UK GDPR’s international transfer rules apply whenever personal data is sent or made accessible, and all three of the following conditions are met:
- the UK GDPR applies to the processing of the personal data;
- the transfer of personal data is to an organisation outside of the UK; and
- the organisation receiving the information is a separate legal entity to the sender.
If these criteria are met, the transfer rules apply even if the recipient is itself subject to the UK GDPR. Each such transfer, which the ICO refers to as a ‘restricted transfer’, must be covered by one of a limited number of permitted transfer mechanisms.
Equivalent EU-level guidance on the very similar wording of the EU GDPR also applies a three‑criteria test:
- a controller or a processor is subject to the EU GDPR for the given processing;
- this controller or processor discloses by transmission or otherwise makes personal data available to another organisation; and
- this other organisation is in a country outside the EEA.
However, while the first criterion under the UK and EU GDPR is the same, criteria 2 and 3 differ, as will be explored further below.
Remote access
The ICO has reconfirmed its position that remote access (from outside the UK) of personal data subject to the UK GDPR will be a restricted transfer. EU-level guidance takes a similar approach.
Transfer vs transit
The ICO has also confirmed that there is no restricted transfer where personal data is merely routed electronically through a country outside the UK and the sender has no intention that the personal data will be accessed or stored in that country. For example, if personal data is sent by email from UK company A to UK company B, it may transit the US as part of its electronic routing without this constituting a restricted transfer.
This ‘transit’ concept is not expressly addressed in equivalent EU-level guidance, but it seems to follow that if there is purely technical routing where personal data merely passes through non-EEA territories without being accessed, stored, or ‘otherwise made available’ to any separate organisation, then one of the three EU criteria for a restricted transfer likewise is not met.
Both UK and EU guidance also indicate that the sender must still put in place appropriate security measures to prevent unauthorised access to the personal data, even where it is not subject to a restricted transfer.
Organisation outside the UK
The ICO’s guidance explains that the concept of ‘transferring outside the UK’, focuses on where the receiving organisation is based. This means where that organisation is established, not the actual geographical location of the information itself. The ICO’s position focuses on ‘the contractual location of where the service provider is established’.
The ICO’s guidance clarifies that:
- for a company or registered partnership, the relevant place of establishment is the country in which it is registered;
- for a registered overseas branch of a company, the relevant country is the location of that registered branch;
- in the case of a transfer to an individual representative or local office (of whatever size) that is not a registered branch, the transfer is to the country where the company is actually registered; and
- for other types of organisations (eg, sole traders or unregistered partnerships) the relevant country is ‘usually’ the organisation's main place of business.
The ICO gives the example of a UK company using a company in the Netherlands to provide marketing services to its UK clients, where the Dutch company delivers those services through its UK subsidiary. According to the ICO, there is a restricted transfer in this example when the UK company sends its UK clients’ personal data directly to the UK subsidiary (even though the data may never have physically left the UK) because the UK company is contracting with the Netherlands company.
Conversely, it appears that the transfer of personal data originally held in the UK by a UK-registered company to another UK-registered company located in China may not be a restricted transfer. However, the transfer would be restricted if the recipient were a registered overseas branch of the second UK company.
This concept is generally aligned with the EU approach and arguably also follows EU-level guidance even though the ICO is clearer in various respects, including regarding the question of which entity is to be considered as importer.
Responsibility for compliance
The ICO’s guidance also addresses who is responsible for complying with the transfer restrictions. This is particularly relevant where an organisation that decides the purposes and means of processing (the controller) engages another to handle data on its behalf as a processor (ie, an organisation acting in accordance with the controller’s instructions).
The ICO’s view is that either the controller or the processor (but not both) is responsible for compliance with the transfer rules, depending on who ‘initiated’ the transfer by initially choosing to make the transfer happen as part of its processing purposes or service delivery. As a rule of thumb, an organisation is not initiating a transfer if it did not design the transfer structure or architecture and did not initially choose the receiver. The guidance sets out various further indicators that parties can use to assess who is responsible.
For example, where a UK processor is authorised by the controller to transfer personal data to its sub‑processor outside the UK, the processor is still likely to be regarded by the ICO as the party initiating the transfer (and therefore responsible for it). Even if you are not responsible for the transfer, the other obligations under the UK GDPR remain.
This is in contrast to the EU approach, under which both the controller and processor (acting as an exporter on behalf of a controller) have to comply with the EU GDPR restricted transfer rules rather than only the ‘initiating’ organisation.
Onward transfers
The ICO’s guidance explains that an onward transfer occurs if an organisation located outside the UK: (1) receives a restricted transfer of personal data; and (2) further transfers the information on to a separate organisation also located outside the UK. It states that an onward transfer is a restricted transfer only if the first receiving organisation’s processing of the personal data is subject to the UK GDPR.
An example is provided where the UK GDPR applies to the processing done by a marketing company located outside the UK. It would be a restricted (onward) transfer if the marketing company receives a restricted transfer of personal data from the UK and then initiates a new transfer of the personal data to a separate organisation also outside the UK.
Controllers outside the UK
The ICO’s guidance states that a UK processor with a controller located outside the UK is ‘never making a restricted transfer’ if it transfers personal data to that controller provided it is:
- only handling the personal data as a processor under the instructions of that controller; and
- transferring the personal data to the same controller that instructed it to do the processing.
This is because the ICO views this as the controller initiating the transfer.
This is different to the position in the EU (although based on similarly worded restrictions in the EU GDPR). The EU approach is that these kinds of ‘back to controller’ transfers would be considered restricted transfers.
Next steps
While it is clear that the intention behind many of these updates is to make the UK approach more business friendly (in line with economic growth commitments given by the ICO) many international businesses may continue to apply the EU’s stricter approach to all ex‑EU and ex‑UK transfers for administrative simplicity.
The ICO’s guidance remains open for feedback and may evolve further. The ICO does not have law‑making powers, and some of the divergences between its approach and that of its EU counterparts may indicate areas where these rules could be pressure tested by courts in the coming years.
Please reach out to one of the authors of this blog post if you would like help navigating these complexities.