Most personal data we hold is processed within the UK. In some cases, a service provider we use may process data outside the UK, for example where a technology partner operates from another country. When that happens, UK data protection law requires appropriate safeguards.
How transfers are protected
We only allow a transfer outside the UK where one of the recognised protections applies, so your data keeps an essentially equivalent level of protection. These include:
- Adequacy, where the destination country is recognised by the UK as providing adequate protection.
- Contractual safeguards such as the UK International Data Transfer Agreement or the Addendum to standard contractual clauses.
- Additional measures where needed, such as encryption and access controls.
Why a transfer might happen
Transfers are usually about infrastructure, such as where a hosting or support service is located, rather than about sharing data for new purposes. The reason for processing does not change just because a provider operates abroad.
Finding out more
Our privacy notice explains our approach to international transfers. If you want to know whether your data is processed outside the UK and what safeguards apply, our data protection team can tell you.
See also: How do I complain about how you handled my data?, How do I complain about how my data is handled? and How do I request a copy of my data?.