Skip to main content
Data protection

Importance of protecting your data

If your organisation receives and transfers personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU, or operates in the EEA, please see the updates below.

Receiving personal data from the EU/EEA and third countries which have EU adequacy decisions

The EU has now formally adopted ‘adequacy decisions’ for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK.

All 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK.

The European Commission has so far recognised the following as providing adequate protection:

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay

Further information can be found on the ICO website.

Personal data flows from the UK

There are no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. 

For international data transfers from the UK to other jurisdictions, further information can be found on the ICO website.

Data protection and GDPR

The UK’s data protection regime is set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner is the UK’s independent supervisory authority on data protection.

Next: the transition period >