International Data Transfers Guide for UK, EU, and US Businesses

International Data Transfers: Guide for UK, EU, and US Businesses

Updated: July 2026

A “data transfer” under the UK and EU General Data Protection Regulation (GDPR) covers more than data moving across a server. You make a “restricted transfer” whenever you send personal data, or even make it accessible, to a separate legal entity located outside your jurisdiction. This includes sending data to a subsidiary, vendor, or cloud service provider in another country.

The rules apply the moment personal data protected by UK or EU GDPR reaches a legally distinct organisation outside the UK or European Economic Area (EEA). This applies to every transfer, regardless of size or frequency.

Many businesses assume a “data transfer” only happens when someone emails a file, but the rules go further than that. If a US-based parent company can log in and view the HR records of its UK subsidiary, that access alone counts as a restricted transfer under the UK GDPR, even without a download taking place. Businesses miss this point often, and it causes real compliance gaps.

Getting these rules wrong exposes your business to serious consequences. International data flows keep modern business running, from cloud computing to global customer support. Non-compliance can bring substantial fines, regulatory orders to stop transfers (which disrupts operations), and reputational damage.

Are British Overseas Territories Treated as Domestic for Data Transfers?

A common mistake is assuming that politically linked territories count as “domestic” for data protection purposes. The legal reality works differently and rests on formal legal assessments, not political geography.

Does the UK allow free data transfers to Gibraltar?

Under the UK GDPR, Gibraltar is legally classed as a “third country.” It’s a British overseas territory, but it is not part of the UK for data protection purposes.

The UK has granted Gibraltar an “adequacy decision,” though. This is a formal finding that Gibraltar’s data protection law, the Gibraltar GDPR, which closely mirrors the EU’s version, gives a level of protection equivalent to the UK’s own standard.

This adequacy decision works like a green light. You can transfer personal data from the UK to Gibraltar without extra safeguards, such as an International Data Transfer Agreement (IDTA) or a Transfer Risk Assessment (TRA). It’s the simplest of all UK-to-third-country transfers. You still stay responsible for ensuring the data is processed lawfully and securely once it arrives; your core UK GDPR obligations don’t disappear. Transfers from Gibraltar back to the UK are also allowed under local Gibraltar rules that recognise the UK as adequate.

What are the Rules for UK transfers to other British overseas territories?

All other British Overseas Territories (BOTs), including major financial hubs such as the Cayman Islands, Bermuda, and the British Virgin Islands (BVI), also count as “third countries” under the UK GDPR.

Here is the key difference: unlike Gibraltar, none of these other territories has a UK adequacy decision. This means you cannot transfer data to them freely. A transfer from the UK to these BOTs is a restricted transfer and requires specific steps by law:

• Use an appropriate safeguard: put a formal legal mechanism in place. For transfers within a corporate group, this is typically the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU’s Standard Contractual Clauses (SCCs). UK Binding Corporate Rules (BCRs) are another option.

• Conduct a Transfer Risk Assessment (TRA): you must assess whether your chosen safeguard, such as the IDTA, will work in practice. This means analysing the local laws and government surveillance powers in the destination territory to check they don’t undermine the protections in your contract. This is a mandatory, risk-based assessment, and you must document it.

Many of these territories have modern data protection laws, but the UK has not formally deemed them adequate.

• Bermuda: the Personal Information Protection Act (PIPA) 2016 became fully effective on 1 January 2025. It’s a comprehensive law with GDPR-inspired principles, requiring a privacy officer and strong security safeguards. The UK does not consider it adequate, though.

• Cayman Islands: the Data Protection Act (DPA), 2017, is also based on GDPR-like principles such as fair use, purpose limitation, and data minimisation, but it lacks a UK adequacy decision.

• British Virgin Islands (BVI): the Data Protection Act, 2021, follows EU/UK standards closely. It lacks a “legitimate interest” basis for processing, though, and relies heavily on express consent. It is not deemed adequate.

How do data transfers from the US to its overseas territories work?

The United States has no single federal privacy law. Instead, there’s a patchwork of federal sector-specific laws and a growing number of state-level laws.

US territories, such as Puerto Rico, Guam, the U.S. Virgin Islands, and American Samoa, sit in a legal grey area. Most comprehensive state privacy laws, like the California Consumer Privacy Act (CCPA), do not apply to them. Federal laws apply inconsistently. The Health Insurance Portability and Accountability Act (HIPAA), for example, explicitly includes these territories in its definition of a “State,” so healthcare data transfers fall under its rules.

Most of these territories lack a comprehensive privacy law of their own, though. Puerto Rico and Guam have data breach notification laws, but neither has an overarching privacy framework that gives GDPR-level rights and protections.

The real risk here comes from foreign regulations, not local enforcement. If a US business has UK customers and outsources their data processing to a vendor in Puerto Rico, that counts as a restricted transfer under the UK GDPR. This means you must follow all UK transfer rules, including an IDTA and a TRA. Puerto Rico’s lack of strong local privacy laws makes passing that risk assessment difficult.

How does the EU treat transfers to BOTs and US territories?

Under the EU GDPR, every UK and US territory is a “third country.” The European Commission has only granted an adequacy decision to Gibraltar, and that’s tied to its adequacy for the UK. No other BOT or US territory is considered adequate by the EU.

Any transfer from the EU to these non-adequate territories must follow a strict process. This comes from the Court of Justice of the European Union’s Schrems II ruling:

• Use an Article 46 transfer tool: for most businesses, this means using the EU’s Standard Contractual Clauses (SCCs).

• Conduct a Transfer Impact Assessment (TIA): the Schrems II decision made clear that signing SCCs alone is not enough. You must conduct and document a TIA to check this. It should assess whether the destination country’s laws (Bermuda or Puerto Rico, for example) could force the data importer to hand data to its government in a way that breaches EU fundamental rights.

• Implement supplementary measures: if your TIA finds risks, you must add extra safeguards to reduce them. These can be technical (strong encryption), contractual, or organisational. If you cannot find effective measures, the transfer is illegal.

The legal frameworks create a hierarchy of difficulty for data transfers that runs against normal business logic. Transferring data from a UK company to Gibraltar is simple, but transferring it to Bermuda takes far more work. From an EU standpoint, transferring data to the BVI involves the same legal hurdles as transferring it to mainland China: both are non-adequate third countries that need SCCs and a TIA. Assumptions based on political ties are risky. Follow the legal checklist for every destination instead.

Table 1: UK/EU data transfer rules for overseas territories at a glance

TerritoryStatus under UK GDPRUK Transfer RequirementStatus under EU GDPREU Transfer Requirement
GibraltarThird CountryAdequacy Decision (No extra steps)Third CountryAdequacy Decision (No extra steps)
BermudaThird CountryIDTA + TRA RequiredThird CountrySCCs + TIA Required
Cayman IslandsThird CountryIDTA + TRA RequiredThird CountrySCCs + TIA Required
British Virgin IslandsThird CountryIDTA + TRA RequiredThird CountrySCCs + TIA Required
Puerto RicoThird CountryIDTA + TRA RequiredThird CountrySCCs + TIA Required
GuamThird CountryIDTA + TRA RequiredThird CountrySCCs + TIA Required

What tools can you use to make a lawful data transfer?

To legally make a restricted transfer, you must use one of the mechanisms the GDPR provides. The right one depends on your destination, your relationship with the recipient, and the nature of the transfer.

What is an adequacy decision?

An adequacy decision is a formal finding by the UK Government or European Commission that a third country’s legal system provides a level of data protection that is “essentially equivalent” to that in the UK or EU.

If a country has an adequacy decision, you can transfer personal data to that country without any further transfer-specific safeguards. It is treated almost like a transfer within the UK or EEA. Countries with adequacy include the EEA member states, Gibraltar, Japan (with some limitations), New Zealand, South Korea, and Switzerland, among others. The UK and EU have also recognised each other as adequate, allowing data to flow freely between them in most cases.

What are standard contractual clauses and the UK’s IDTA?

This is the most common tool for transfers to countries not covered by an adequacy decision.

• EU SCCs: the European Commission provides pre-approved model contract clauses that the data exporter and importer sign. Different “modules” cover different transfer scenarios, such as controller-to-processor or processor-to-processor. You must use these clauses without modification.

• UK IDTA and Addendum: after Brexit, the UK’s Information Commissioner’s Office (ICO) issued its own transfer tools. The International Data Transfer Agreement (IDTA) is a standalone contract governing transfers subject to UK law. The UK Addendum is a more flexible option you can add to the EU SCCs, letting you use one core contract for both EU and UK transfers by adding the necessary UK-specific protections.

• Important caveat: these contracts are not a box-ticking exercise. The Schrems II ruling requires them to come with a documented Transfer Risk Assessment (TRA) or Transfer Impact Assessment (TIA).

What are binding corporate rules?

Binding Corporate Rules (BCRs) are a set of internal data protection policies a multinational corporate group uses to legitimise transfers of personal data between its own entities worldwide.

BCRs suit large, sophisticated organisations with regular, high-volume, and complex internal data flows. They’re considered the gold standard for compliance, but they need significant investment. A data protection authority, such as the UK’s ICO, must formally approve BCRs, and that process can take a long time and use up a lot of resources.

What are derogations under Article 49?

Article 49 of the GDPR lists specific exceptions, or “derogations,” that apply to occasional and non-repetitive transfers when no other mechanism fits.

These include cases where the data subject gives explicit consent to the specific transfer after being fully informed of the risks, or where the transfer is necessary to perform a contract or defend legal claims. Regulators read these derogations narrowly. They don’t work as a solution for systematic, ongoing business processes, such as using a permanent cloud provider or outsourcing a business function to a third country.

Table 2: Data transfer mechanisms compared

MechanismBest ForKey Requirement(s)Complexity
Adequacy DecisionTransfers to pre-approved countriesConfirm the destination is on the adequacy list.Low
SCCs / IDTATransfers to any non-adequate country (vendors, partners, etc.)Signed contract + mandatory TIA/TRA.Medium to High
BCRsInternal transfers within a large multinational groupDPA approval of internal policies + TIA/TRA.Very High
DerogationsOne-off, exceptional, non-repetitive transfersMeeting strict, narrow criteria (e.g., explicit consent for a single transfer).Low (but very limited use)

What is a transfer risk assessment and why does it matter?

The most significant development in data transfer law in recent years was the Schrems II ruling. It changed the compliance landscape and placed a new, significant burden on every organisation that transfers data outside the UK and EU.

What did the Schrems II ruling decide?

In its 2020 Schrems II judgment, the Court of Justice of the EU invalidated the EU-US Privacy Shield framework. It found that US surveillance laws did not give EU citizens protections “essentially equivalent” to their fundamental rights under EU law.

The court upheld the validity of SCCs but added a new obligation. The company sending the data (the exporter) must check, case by case, that the laws in the destination country don’t stop the recipient (the importer) from keeping its contractual promises in the SCCs. This mandatory check is the Transfer Impact Assessment (TIA) for EU GDPR transfers, or the Transfer Risk Assessment (TRA) for UK GDPR transfers.

How do you conduct a transfer assessment (TIA/TRA)?

This is not paperwork alone; it’s a formal, documented risk analysis. The European Data Protection Board (EDPB) and the UK’s ICO have set out a multi-step process you must follow.

• Step 1: Know your transfer. Map the data flow in detail. Document what data is being sent, who the importer is, where they’re located, the purpose of the transfer, and whether there will be any “onward transfers” to other countries.

• Step 2: Identify your transfer tool. Confirm you’re relying on an appropriate safeguard, such as SCCs, the IDTA, or BCRs.

• Step 3: Assess the laws of the destination country. This is the core of the assessment. Research and document whether the country’s laws on government access to data (for national security or criminal investigations, for example) are a problem. The key question is whether these laws could force the importer to disclose data in a way that overrides the protections in your contract.

• Step 4: Identify and adopt supplementary measures. If Step 3 reveals risks, identify, implement, and document additional measures to bring protection up to the required standard.

• Step 5: Take procedural steps. Formalise the supplementary measures in your contract and finalise your documentation of the whole assessment.

• Step 6: Re-evaluate. Data protection isn’t a one-time task; it’s ongoing. Monitor for legal or practical changes in the destination country and re-evaluate your assessment at appropriate intervals.

What supplementary measures should you implement?

If your TIA/TRA finds that the destination country’s laws pose a risk, you must implement supplementary measures. These fall into three categories, and you’ll often need a mix of them.

• Technical measures: these work best. Strong, end-to-end encryption, where the data importer (and by extension, the foreign government) cannot access the decryption keys, is the gold standard. Data stays protected both in transit and at rest. Other measures include solid pseudonymisation.

• Contractual measures: add clauses that require the importer to be transparent about government access requests, to challenge requests where possible, and to notify you immediately of any changes in local law that affect their ability to comply with the SCCs.

• Organisational measures: these include strict internal policies for handling government requests, regular staff training on these procedures, tight access controls, and published transparency reports.

The TIA/TRA process effectively forces a UK or EU company to learn the surveillance laws of any country it sends data to. This legal and technical analysis goes far beyond typical commercial due diligence and is a significant, often underestimated, compliance burden.

What common mistakes do businesses make with data transfers?

The complexity of international data transfer rules creates several common traps for businesses. Failing to comply with them can lead to serious consequences.

• Mistake 1: the “territory” assumption. The most frequent error is believing a British Overseas Territory or a US territory counts as “domestic” for data transfer purposes. As this guide shows, that’s wrong for every scenario except UK-to-Gibraltar transfers.

• Mistake 2: “sign and forget” SCCs. Another major pitfall is treating SCCs or the IDTA as a simple box-ticking exercise. Using these contracts without a documented TIA/TRA has been explicitly illegal since the Schrems II ruling, and regulators focus on it heavily.

• Mistake 3: failing to document. Compliance means demonstrating your work. If a regulator investigates, you need records of your data mapping, your TIA/TRA analysis, the reasoning behind your decisions, and the supplementary measures you put in place. A lack of documentation is often treated as a compliance failure on its own.

Regulators actively enforce these rules with business-altering penalties. The Irish Data Protection Commission fined Meta a record €1.2 billion for illegal data transfers to the US, specifically for failing to protect data from US surveillance following the Schrems II ruling. TikTok was later fined €530 million for failing to adequately protect EU user data transferred to and accessed from China. Beyond fines, regulators can issue suspension orders, forcing you to halt illegal transfers and disrupting critical business operations immediately.

How does GDPRLocal simplify global compliance?

GDPRLocal provides the expert support you need to transfer data confidently and compliantly. Our services include:

• Data flow mapping and inventory: we help you “know your transfers” by identifying and mapping all cross-border data flows across your organisation, building the foundation for your compliance programme.

• Drafting and implementing transfer agreements: we make sure you have the correct, up-to-date legal mechanisms in place, whether that’s the EU SCCs, the UK IDTA, or the UK Addendum, tailored to your specific vendor and partner relationships.

• Conducting Transfer Impact/Risk Assessments (TIAs/TRAs): our team of legal and technical experts conducts the in-depth, jurisdiction-specific analysis the Schrems II standard requires, saving you the time and risk of doing it alone.

• Advising on supplementary measures: we give practical, risk-based advice on the technical, contractual, and organisational measures you need to protect your data and legitimise your transfers.

• Monitoring and updating: we keep you informed of legal changes in key jurisdictions, so your compliance framework stays current and effective as the legal landscape evolves.

• Documentation and record-keeping: we help you build and maintain thorough documentation that demonstrates your due diligence and compliance with regulatory requirements.

Conclusion

Managing international data transfers is no longer a simple contractual matter. It’s a core compliance function that demands diligence, expertise, and ongoing attention.

Never assume. always treat transfers to another country, including overseas territories, as “restricted” until you’ve confirmed their legal status. Political or geographical proximity is not a reliable guide.

Assess every transfer. Using SCCs or the IDTA is only the first step. A documented Transfer Impact or Risk Assessment is mandatory for all transfers to non-adequate destinations.

Prioritise technical safeguards. In high-risk destinations, strong technical measures such as end-to-end encryption are the most effective supplementary measures for reducing surveillance risks.

• Document everything. Your best defence is your ability to show regulators your due diligence. Keep clear records of your transfer mapping, assessments, and decisions to stay transparent and accountable.

Frequently Asked Questions

Is transferring data to a British Overseas Territory the same as transferring it within the UK?

No. Every British Overseas Territory, including Gibraltar, counts as a “third country” under the UK GDPR. Gibraltar has a UK adequacy decision, so transfers there need no extra safeguards. Other territories, like Bermuda or the Cayman Islands, need an IDTA and a TRA.

Do I need a Transfer Risk Assessment if I already have an IDTA in place?

Yes. Signing the IDTA alone is not enough. The Schrems II ruling requires you to also conduct and document a Transfer Risk Assessment (TRA) that checks whether the destination country’s laws could undermine the protections in your contract.

Which US territories are affected by these rules?

Puerto Rico, Guam, the U.S. Virgin Islands, and American Samoa all sit in a legal grey area, since most state privacy laws don’t apply there. If you send data from these territories to UK or EU customers’ data, you still need an IDTA/TRA or SCCs/TIA, depending on the source jurisdiction.

What happens if I use SCCs without a Transfer Impact Assessment?

This is treated as non-compliant. Regulators have made clear since Schrems II that a signed contract on its own does not legitimise a transfer. Without a documented TIA, you risk fines and orders to stop the transfer.

How often should I review my Transfer Risk Assessment?

Review it whenever the destination country’s laws change, or at regular intervals as part of your ongoing compliance programme. Data protection is not a one-time task, so re-evaluating older assessments is part of the required process.