United Kingdom — International Data Transfers

The United Kingdom restricts international transfers of personal data under Chapter V of the UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025 (c. 18). The Data (Use and Access) Act 2025 received Royal Assent on 13 March 2025 and fundamentally reformed the UK's transfer regime by omitting the original Article 44 and inserting a new Article 44A, alongside a "not materially lower" standard that diverges from the EU GDPR's essential-equivalence requirement.

Article 44A — the general transfer restriction

Schedule 7 paragraph 2 of the Data (Use and Access) Act 2025 omitted the original Article 44 and inserted a replacement provision, Article 44A. Under Article 44A, a controller or processor may transfer personal data to a third country or an international organisation only if one of three conditions is met:

• Adequacy regulations under Article 45A — the Secretary of State has made regulations approving transfers to the third country or international organisation, and the transfer is approved by or falls within the description of transfers approved by those regulations;
• Appropriate safeguards under Article 46 — the transfer is made subject to appropriate safeguards; or
• A derogation under Article 49 — the transfer falls within one of the enumerated derogations for specific situations.

Article 44A paragraph 3 provides that a transfer may not be made in reliance on the appropriate-safeguards or derogation grounds if doing so would breach a restriction imposed by regulations under Article 49A.

The "not materially lower" standard — Articles 45A and 45B

Schedule 7 of the 2025 Act omitted the original Article 45 (transfers on the basis of an adequacy decision) and replaced it with a new two-article regime comprising Article 45A (power to make adequacy regulations) and Article 45B (the data protection test). The critical shift is the replacement of the "essential equivalence" standard historically applied by the European Commission under EU GDPR Article 45 with a "not materially lower" threshold.

Article 45B paragraph 1 provides that the data protection test is met in relation to transfers if "the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects" by the UK GDPR and Parts 5 to 7 of the Data Protection Act 2018, so far as relevant to general processing. Article 45B paragraph 2 requires the Secretary of State to consider, among other things, the rule of law, enforceable data subject rights, oversight mechanisms, and the country's rules about onward transfers to other countries or international organisations.

Article 45A empowers the Secretary of State to make regulations approving transfers by reference to a third country (in whole or as to a territory or sector within that country) or to an international organisation. Article 45A(4) permits the Secretary of State to approve all transfers to a jurisdiction or to limit approval only to transfers specified or described in the regulations, including by reference to a sector, geographic area, relevant legislation, schemes, lists, or other arrangements as they have effect from time to time.

Supervisory authority and enforcement

The Information Commissioner's Office (ICO), established under Part 5 of the Data Protection Act 2018 and continued under UK GDPR Article 51, is the supervisory authority responsible for monitoring application of the UK GDPR. Under UK GDPR Article 57, the ICO has tasks including monitoring and enforcing application of Chapter V. Article 58 confers investigative, corrective, and authorization powers, including the power to order suspension of data flows to a third country or international organisation and to impose administrative fines under Article 83 for infringement of Chapter V transfer restrictions.

Divergence from EU GDPR post-Brexit

The UK is a "third country" for purposes of the EU GDPR. Schedule 7 to the Data (Use and Access) Act 2025 introduced material divergence between the UK and EU transfer regimes: the EU retains the essential-equivalence standard under EU GDPR Article 45, as interpreted by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, judgment of 16 July 2020, "Schrems II"), whereas the UK now applies the "not materially lower" threshold under Article 45B. Controllers and processors transferring personal data from both the UK and the EU to the same third country must maintain dual assessments and may need to rely on distinct legal mechanisms for each export.

Source: UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law) Source: Data (Use and Access) Act 2025 (c. 18), Schedule 7 Source: Data Protection Act 2018 (c. 12)

The Secretary of State may approve transfers of personal data to third countries, territories, sectors, or international organisations by making regulations under Article 45A of the UK GDPR (as inserted by Schedule 7 to the Data (Use and Access) Act 2025). A transfer covered by adequacy regulations may proceed without the need for additional safeguards under Article 46 or reliance on a derogation under Article 49. Adequacy regulations remain the most efficient mechanism for complying with the UK's transfer restrictions because personal data may flow freely to the approved destination without further contractual protections or a transfer risk assessment.

The "not materially lower" standard

Article 45B(1) UK GDPR sets out the data protection test for adequacy. The Secretary of State may make adequacy regulations only if "the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects" by the UK GDPR and Parts 5 to 7 of the Data Protection Act 2018. This "not materially lower" threshold, introduced by the Data (Use and Access) Act 2025, diverges from the "essential equivalence" standard applied under EU GDPR Article 45 and the Court of Justice of the European Union's Schrems II judgment (Case C-311/18). Controllers and processors transferring personal data from both the UK and the EU to the same third country must maintain dual assessments and may rely on distinct legal bases for each export.

Article 45B(2) requires the Secretary of State to consider, among other things, the rule of law, enforceable data subject rights, oversight mechanisms, and the country's rules about onward transfers to other countries or international organisations. The ICO assists the Department for Science, Innovation and Technology (DSIT) with adequacy assessments pursuant to a published Memorandum of Understanding, and publishes an Opinion on each adequacy assessment the Government undertakes.

Countries and territories covered by UK adequacy regulations

As of May 2026, the UK has adequacy regulations in force for the following jurisdictions:

Full adequacy (all general-processing transfers are approved):

• European Economic Area — all EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden) and the EFTA states (Iceland, Liechtenstein, Norway), together with EU or EEA institutions, bodies, offices, or agencies.

• Countries and territories covered by European Commission adequacy decisions valid as at 31 December 2020 — these were transitioned into UK law when the UK left the EU and remain in force: Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay.

Partial adequacy (only certain transfers are approved, subject to the scope limitations below):

• Canada — adequacy applies only to personal data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

• Japan — adequacy applies only to personal data transferred to private sector organisations falling within the scope of Japan's Act on the Protection of Personal Information (APPI) by Personal Information Handling Business Operators (PIHBOs) within the meaning of the APPI. The EU's adequacy decision for Japan lists sectoral exclusions that also apply to UK adequacy.

• United States of America — adequacy applies only to personal data transferred under the UK Extension to the EU-US Data Privacy Framework. The Data Protection (Adequacy) (United States of America) Regulations 2023 came into force on 12 October 2023. Only personal data within the scope of the EU-US Data Privacy Framework Principles may be transferred to US organisations that participate in the UK Extension. A UK controller or processor must verify that the intended recipient is certified on the Data Privacy Framework List maintained by the US Department of Commerce before relying on adequacy. The UK Extension is administered by the US Department of Commerce, and the independent supervisory authorities are the US Federal Trade Commission and the US Department of Transportation.

Monitoring and review

Article 45C UK GDPR (inserted by the 2025 Act) requires the Secretary of State to monitor developments in third countries and international organisations on an ongoing basis. Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved by regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations. Article 45C(4) obliges the Information Commissioner to publish and keep up to date a list of third countries and international organisations that are currently approved by regulations under Article 45A, and a list of those that have been approved in the past but are no longer approved.

A practitioner contemplating a transfer to a country not on the approved list must rely on appropriate safeguards under Article 46 (such as the UK International Data Transfer Agreement, the UK Addendum to the EU SCCs, or approved binding corporate rules), combined with a transfer risk assessment, or on one of the derogations under Article 49.

Source: UK General Data Protection Regulation, Article 45A–45C (as amended by the Data (Use and Access) Act 2025, Schedule 7) Source: Data Protection (Adequacy) (United States of America) Regulations 2023 Source: ICO, Adequacy regulations — list of countries and territories

Controllers and processors making restricted transfers to third countries or international organisations that do not benefit from UK adequacy regulations may rely on one of the "appropriate safeguards" listed in Article 46 of the UK GDPR. The two principal contractual safeguards issued by the Information Commissioner's Office (ICO) under section 119A of the Data Protection Act 2018 are the UK International Data Transfer Agreement (IDTA) and the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses (UK Addendum). Both came into force on 21 March 2022 and serve as alternatives to each other; organisations select one or the other depending on their operational footprint and existing contractual arrangements.

Statutory authority — section 119A DPA 2018

Section 119A(1) of the Data Protection Act 2018 empowers the Information Commissioner to issue a document specifying standard data protection clauses which the Commissioner considers are capable of securing that the data protection test set out in Article 46 of the UK GDPR is met in relation to transfers of personal data. The IDTA and the UK Addendum were laid before Parliament on 2 February 2022 and, following the 40-day parliamentary approval period prescribed by section 119A(6), entered into force on 21 March 2022. Article 46(2)(d) UK GDPR recognises "standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A … of the 2018 Act and for the time being in force" as an approved appropriate safeguard.

The UK International Data Transfer Agreement (IDTA)

The IDTA is a standalone contractual agreement designed for transfers from the UK to non-adequate countries. It is structured in four parts:

• Part 1 — Tables (mandatory): the parties complete case-specific details including the exporter and importer identity, transfer details (categories of data subjects, categories of personal data, purposes, and onward-transfer provisions), and the role relationship (controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller).

• Part 2 — Extra Protection Clauses (optional): allows the parties to add supplementary technical or organisational measures where a transfer risk assessment identifies residual risks not fully mitigated by the IDTA's mandatory clauses.

• Part 3 — Commercial Clauses (optional): permits inclusion of commercial terms. The ICO guidance notes that if making a restricted transfer to a processor, parties may add in the clauses required by Article 28 of the UK GDPR, though the IDTA itself does not provide a data processing agreement. Controllers transferring to processors must incorporate Article 28 clauses in a linked agreement.

• Part 4 — Mandatory Clauses: contains the binding data-protection obligations for exporter and importer, including purpose limitation, data security measures, onward-transfer controls, data-subject rights (access, rectification, erasure, restriction, portability, objection), breach notification, and cooperation with the ICO.

Section 9 of the IDTA's Mandatory Clauses requires the importer to provide the exporter with information about local laws and practices that may affect the transfer ("Importer Information"), enabling the exporter to conduct the transfer risk assessment. The IDTA also contains suspension and termination provisions in Sections 27–28 and 30 where a "significant harmful impact" on data subjects arises.

The UK Addendum to the EU SCCs

The UK Addendum is a modular add-on to the European Commission's standard contractual clauses adopted on 4 June 2021 (Commission Implementing Decision (EU) 2021/914). Organisations that have entered into the 2021 EU SCCs for transfers from the EEA may use the UK Addendum to cover parallel transfers from the UK, avoiding the need to negotiate a second standalone agreement. The UK Addendum comprises:

• Part 1 — Tables: mirrors the IDTA structure, requiring the parties to specify which modules of the EU SCCs (Module 1: controller to controller; Module 2: controller to processor; Module 3: processor to processor; Module 4: processor to controller) are in use, the effective date, and the UK-specific adaptations.

• Part 2 — Mandatory Clauses: sets out the UK-specific obligations that supplement the EU SCCs, including the requirement that the data protection test under UK law is met and the parties' cooperation with the ICO.

The ICO guidance states that organisations may incorporate the Part 2 Mandatory Clauses by reference only (so they do not need to set them out in full), provided they include the text set out in the "Alternative Part 2 Mandatory Clauses."

Choosing between the IDTA and the UK Addendum

Controllers and processors transferring personal data from the UK only will typically find the IDTA simpler, as it is a single standalone document. Organisations transferring personal data from both the UK and the EEA to the same recipient will usually prefer the UK Addendum layered onto the 2021 EU SCCs, because the same underlying modular clauses cover both UK and EU transfers with minimal duplication. Both mechanisms are legally equivalent for UK GDPR compliance; the choice is operational.

Transfer risk assessment (TRA) — mandatory for all Article 46 safeguards

The ICO guidance states that if relying on an Article 46 transfer mechanism (including the IDTA or the UK Addendum), the exporter must carry out a transfer risk assessment before making the restricted transfer. The TRA helps the exporter consider whether, in the circumstances of the transfer and with the chosen Article 46 transfer mechanism in place, the relevant protections for people under the UK data protection regime will be undermined. The ICO guidance identifies two broad types of risk the exporter must consider:

1. Risks to people's rights arising in the destination country from third parties accessing the information that are not bound by the Article 46 transfer mechanism, in particular government and public bodies (for example, surveillance laws, national-security access, law-enforcement data requests that conflict with the IDTA or Addendum obligations).

1. Risks arising from the receiver's own actions or practices, including whether the receiver's legal system provides effective and enforceable data-subject rights and effective administrative and judicial redress.

The ICO notes that the TRA is a requirement under UK data protection laws, confirmed by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, judgment of 16 July 2020, "Schrems II"), which established the role of risk assessments in the rules on restricted transfers.

If the TRA identifies conflicts between local law and the IDTA or Addendum obligations, the ICO guidance instructs the exporter to implement supplementary technical or organisational measures (for example, encryption, pseudonymisation, or contractual commitments to challenge government requests) where feasible, or to suspend or refrain from making the transfer where the IDTA or Addendum can no longer deliver appropriate safeguards. Both the IDTA and the UK Addendum contain built-in suspension and termination mechanisms for such circumstances.

Ongoing monitoring and review

The ICO guidance requires that for ongoing or repeated transfers, the exporter must regularly reassess the level of protection the Article 46 transfer mechanism provides (and any extra steps and extra protections taken alongside it), to ensure that the level of protection does not decrease over time. The exporter must consider whether the level of protection may be undermined by changes in the law or practices of the destination country, changes in the receiver's practices or ownership, or changes in UK law or ICO guidance. The IDTA and UK Addendum both permit the parties to elect automatic updating when the ICO issues a new version of the standard clauses, pursuant to section 119A(2) DPA 2018.

Source: Data Protection Act 2018 (c. 12), section 119A Source: ICO, What are standard data protection clauses (the UK IDTA and the Addendum)? Source: ICO, International Data Transfer Agreement (IDTA) Source: ICO, Transfer risk assessments

When a restricted transfer to a third country or international organisation is not covered by UK adequacy regulations (Article 45A) and the controller or processor cannot rely on appropriate safeguards under Article 46, the transfer may proceed only if one of the derogations for specific situations listed in Article 49 of the UK GDPR applies. These derogations are narrow exceptions: the Information Commissioner's Office (ICO) guidance and the European Data Protection Board (EDPB) guidelines on which UK practice is based emphasise that derogations must be interpreted restrictively so that the exception does not become the rule, and they should not be relied upon for transfers "on a large scale and in a systematic manner." Article 49 was amended by Schedule 7 paragraph 9 of the Data (Use and Access) Act 2025, which received Royal Assent on 13 March 2025, to align references to the new adequacy framework under Articles 44A, 45A, and 46.

The eight Article 49(1) derogations

A controller or processor may make a restricted transfer without adequacy regulations or appropriate safeguards only if the transfer falls within one of the following categories:

1. Explicit consent (Article 49(1)(a)) The data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. Explicit consent must be specific and informed about the restricted transfer the controller wants to make. The ICO guidance requires the controller to give the data subject precise details about the specific restricted transfer, the destination country, what will happen to the data there, and the possible risks involved in making a restricted transfer to the country without any other safeguards in place. This exception does not apply to public authorities when exercising their public powers.

2. Contract performance (Article 49(1)(b)) The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the data subject's request. This exception only applies if the restricted transfer is necessary for the core purpose of the contract or the pre-contract steps. The ICO guidance provides the example of a UK travel company that does not routinely arrange for its customers to stay at a particular Peruvian hotel: if a customer wishes to reserve a room at that hotel, the travel company may rely on this exception to send the customer's name, room requirements, and length of stay to the hotel in Peru to hold the room before the contract is concluded. The guidance notes that if the company routinely arranged stays at that hotel, it should instead put appropriate safeguards (such as the IDTA) in place. This exception does not apply to public authorities when exercising their public powers.

3. Contract in the data subject's interest (Article 49(1)(c)) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person. The ICO guidance notes that this exception covers situations where the data subject is not a party to the contract, but the contract is concluded in their interest (for example, a parent entering into a contract on behalf of a child, or an employee benefit arrangement where the employer contracts with a third-party provider for the employee's benefit).

4. Important reasons of public interest (Article 49(1)(d)) The transfer is necessary for important reasons of public interest. The public interest must be recognised in UK law; this does not include international treaties or agreements standing alone, but it does include any UK law made to give effect to an international agreement or treaty. The Secretary of State may by regulations specify under Article 49A(1) (a new provision inserted by the Data (Use and Access) Act 2025) circumstances in which a transfer is to be taken to be necessary for important reasons of public interest, and circumstances in which a transfer not required by an enactment is not to be taken to be necessary for this purpose. This exception applies to both public and private organisations. The ICO guidance gives examples including international exchanges of personal information between competition authorities, tax or customs administrations, financial supervisory authorities for their regulatory functions, or public authorities dealing with social security matters. The ICO stated in a September 2020 letter regarding US Securities and Exchange Commission-regulated UK firms that it would not find a breach of the transfer rules if a firm provided evidence that it had carefully considered and appropriately applied the Article 49(1)(d) public interest derogation.

5. Establishment, exercise, or defence of legal claims (Article 49(1)(e)) The transfer is necessary for the establishment, exercise, or defence of legal claims. The ICO guidance (updated in January 2026) clarifies that "legal claims" for purposes of Article 49 takes the same meaning as under Article 9(2)(f) (special category data processing), which the ICO interprets to include proceedings before a court or administrative or out-of-court procedure (including investigation or settlement stages), provided the claim is made in good faith and there is a real prospect that the transfer will be used in proceedings. The necessity requirement means the transfer must be targeted and proportionate to the legal claim.

6. Vital interests (Article 49(1)(f)) The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. Vital interests cover situations where someone's life, or their physical or mental health or wellbeing, is at urgent and serious risk and the person is unable to give consent (whether because the person is physically or legally incapable of consenting). The ICO guidance notes this includes an urgent need for life-sustaining food, water, clothing, or shelter.

7. Transfers from a public register (Article 49(1)(g)) The transfer is made from a register which according to UK law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by UK law for consultation are fulfilled in the particular case. This derogation is narrow: it covers only transfers from official public registers (such as the companies register at Companies House or the land register) and only to the extent permitted by the law establishing the register.

8. Compelling legitimate interests — not prohibited and limited (Article 49(1), second subparagraph) Where none of the other derogations applies, a transfer may be made if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller must inform the Information Commissioner of the transfer, and must inform the data subject of the transfer and of the compelling legitimate interests pursued. The ICO guidance and EDPB guidelines make clear this is a residual, last-resort derogation for genuinely one-off transfers that cannot wait for appropriate safeguards to be put in place.

Necessity and proportionality

For most of the Article 49 exceptions (all except explicit consent and transfers from a public register), the controller or processor must ensure the restricted transfer is necessary. Necessary does not mean absolutely essential, but the controller must ensure the transfer is targeted and proportionate to achieve the stated purpose. The ICO guidance instructs controllers to first consider whether they can reasonably achieve the same purpose by other means; if it is reasonable and proportionate to put in place appropriate safeguards (for example, an IDTA) including any extra steps identified in a transfer risk assessment, it is unlikely to be necessary and proportionate to rely on an exception. It is not enough to argue that the transfer is necessary because the controller has chosen to operate its business in a particular way; the question is whether the transfer is objectively necessary and proportionate for the stated purpose.

Documentation and ongoing reliance

The ICO guidance (drawing on EDPB guidelines) states that derogations should not be relied on for making transfers "on a large scale and in a systematic manner." Their use must be considered on a case-by-case basis, with careful thought and analysis, as the need for individual transfers arises. The controller should keep records of transfers made in reliance on Article 49 derogations to demonstrate compliance. If a controller finds itself making repeated transfers to the same third country or international organisation under Article 49, the ICO expects the controller and the receiver to work together to try to put in place an Article 46 transfer mechanism (such as the IDTA or UK Addendum) as a long-term solution.

Relationship to Article 49A

Article 49A (inserted by Schedule 7 paragraph 10 of the Data (Use and Access) Act 2025) empowers the Secretary of State to make regulations specifying circumstances in which a transfer is to be taken to be necessary for important reasons of public interest under Article 49(1)(d), and circumstances in which a transfer not required by an enactment is not to be taken to be necessary for that purpose. Article 49A also permits regulations to impose restrictions on reliance on Article 49 derogations. Article 44A(3) provides that a transfer may not be made in reliance on the Article 46 appropriate-safeguards or Article 49 derogation grounds if doing so would breach a restriction imposed by regulations under Article 49A. As of June 2026, no regulations under Article 49A have been laid.

Source: UK General Data Protection Regulation, Article 49 (as amended by Data (Use and Access) Act 2025, Schedule 7 paragraph 9) Source: Data (Use and Access) Act 2025 (c. 18), Schedule 7 paragraph 9–10 Source: ICO, What are the exceptions? Source: ICO, What are the rules on exceptions?

Multinational corporate groups making intra-group restricted transfers of personal data from the UK to non-adequate countries may rely on binding corporate rules (BCRs) as an appropriate safeguard under Article 46(2)(b) of the UK GDPR. BCRs are an alternative to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, designed specifically for transfers within a group of undertakings or a group of enterprises engaged in a joint economic activity (such as franchises or joint ventures). BCRs require approval by the Information Commissioner, which the Commissioner grants under Article 58(3)(j) UK GDPR where the BCRs meet the requirements set out in Article 47.

Statutory authority — Article 46(2)(b) and Article 47 UK GDPR

Article 46(2)(b) UK GDPR recognises "binding corporate rules" as an appropriate safeguard that permits a controller or processor to make a restricted transfer to a third country or international organisation. Article 47(1) provides that the Commissioner shall approve binding corporate rules, provided they:

• are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
• expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
• fulfil the requirements laid down in Article 47(2).

Schedule 7 paragraph 7 of the Data (Use and Access) Act 2025 inserted the words "Transfers subject to appropriate safeguards:" at the beginning of the Article 47 heading; that amendment came into force on 5 February 2026.

Article 47(2) minimum requirements

Article 47(2) UK GDPR requires BCRs to specify at least the following:

• Structure and contact details — the structure and contact details of the group and of each of its members (Article 47(2)(a));
• Scope of transfers — the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question (Article 47(2)(b));
• Legally binding nature — their legally binding nature, both internally and externally (Article 47(2)(c));
• Data protection principles — the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules (Article 47(2)(d));
• Data subject rights — the rights of data subjects in regard to processing and the means to exercise those rights, including the right to protection in connection with decisions based solely on automated processing (including profiling), the right to lodge a complaint with the Commissioner and before the UK courts, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules (Article 47(2)(e));
• Acceptance of responsibility by UK member — the acceptance by the controller or processor established on the territory of the United Kingdom of liability for any breaches of the binding corporate rules by any member concerned not established in the United Kingdom; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage (Article 47(2)(f));
• Information for data subjects — how the information on the binding corporate rules, in particular on the provisions referred to in Article 47(2)(d), (e), and (f), is provided to the data subjects in addition to Articles 13 and 14 (Article 47(2)(g));
• Responsibility for data protection compliance — the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group, as well as monitoring training and complaint handling (Article 47(2)(h));
• Complaint procedures (Article 47(2)(i));
• Compliance verification mechanisms — the mechanisms within the group for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject (Article 47(2)(j));
• Reporting to ICO on local law conflicts — the mechanisms for reporting to the Commissioner any legal requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules (Article 47(2)(m)); and
• Data protection training — the appropriate data protection training to personnel having permanent or regular access to personal data (Article 47(2)(n)).

ICO approval process

The ICO approves UK BCRs under Article 58(3)(j) UK GDPR. The ICO has published detailed guidance for controller BCRs (UK BCR-C) and processor BCRs (UK BCR-P), together with application forms and a UK BCR Referential Table that applicants must complete. The ICO guidance states that the application package comprises a completed application form, an intra-group agreement (IGA) or other legally binding instrument, a BCR Policy document that must be published in full after approval (providing data subjects with the key Article 47 information about their data and its transfers), and supporting documents including the completed ICO UK BCR Referential Table demonstrating where each Article 47 requirement is met.

The ICO guidance emphasises that applicants must demonstrate an understanding of the spirit and intent behind Article 47 in their policies and procedures, and their compliance with Article 47 and the UK GDPR more broadly. The ICO guidance notes that organisations with multiple UK legal entities within a single BCR may use an "exporting entity model," where each UK exporter has a separate liability model, provided the structure does not undermine effective and enforceable rights. The ICO requires the nominated UK entity (or entities) to demonstrate sufficient assets to remedy any breach of the UK BCRs.

UK BCR Addendum for organisations with existing EU BCRs

The ICO recognises that BCR applicants may seek both EU and UK BCRs and that Article 47 requirements in both jurisdictions currently overlap. For organisations that have already obtained approval of EU BCRs from an EU supervisory authority, the ICO offers a streamlined route: the UK BCR Addendum. The UK BCR Addendum is a standard-form or template document that layers UK-specific obligations onto the approved EU BCR, enabling the organisation to obtain a UK BCR approval without completing a full UK BCR application form or referential table.

The ICO guidance describes the UK BCR Addendum as comprising three parts: Part 1 confirms that the applicant has an approved EU BCR and explains how the UK BCR Addendum forms a UK BCR meeting the requirements of Article 47 UK GDPR; Part 2 comprises four tables for the applicant to complete specifying key information including the start date (inserted after ICO approval), the Lead UK BCR Member responsible for breaches by non-UK BCR members, the documents forming the approved EU BCR, and selections for type of UK BCR (controller or processor), BCR Members' decision process, which UK laws apply, and whether future updates to the Addendum will apply automatically; and Part 3 is a UK BCR Summary — a concise, data-subject-facing document setting out how personal data is processed under the UK BCR, the rights data subjects have, and how to enforce them.

The ICO guidance states that applicants using the UK BCR Addendum email the completed Addendum and requested documents to the ICO at [email protected]. The ICO guidance notes that all BCR Members must sign the Addendum, as it is structured as an intra-group agreement, and that the UK BCR Summary must be published alongside the EU BCR (or EU BCR summary) after approval. Organisations with existing UK BCR approval may also use the UK BCR Addendum if they wish to amend their UK BCR to align with an EU BCR.

Transitional BCRs approved under Directive 95/46/EC

Holders of EU BCRs for which the Information Commissioner issued an authorisation under Directive 95/46/EC before 25 May 2018 were automatically eligible for a UK BCR under paragraph 9, Part 3, Schedule 21 to the Data Protection Act 2018 (as amended from 1 January 2021). The ICO maintains a list of such BCRs on its website.

Transfer risk assessment requirement

The ICO guidance states that an exporter relying on BCRs must complete a transfer risk assessment (TRA) before making the restricted transfer. The ICO guidance notes that the TRA is a requirement under UK data protection laws, confirmed by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, "Schrems II"), which established the role of risk assessments in the rules on restricted transfers. The ICO guidance instructs the exporter to consider whether, in the circumstances of the transfer and with the BCR in place, the relevant protections for people under the UK data protection regime will be undermined.

The ICO guidance identifies two broad types of risk the exporter must consider: risks arising in the destination country from third parties (in particular government and public bodies) accessing the information where they are not bound by the BCR — for example, surveillance laws, national-security access, or law-enforcement data requests that conflict with the BCR obligations; and risks arising from the receiver's own actions or practices, including whether the receiver's legal system provides effective and enforceable data-subject rights and effective administrative and judicial redress.

Where the TRA identifies conflicts between local law and the BCR obligations, the ICO guidance instructs the exporter to implement supplementary technical or organisational measures (for example, encryption, pseudonymisation, or contractual commitments to challenge government requests) where feasible, or to suspend or refrain from making the transfer where the BCR can no longer deliver appropriate safeguards. Article 47(2)(m) obliges the group to establish mechanisms for reporting to the ICO any legal requirements to which a member is subject in a third country that are likely to have a substantial adverse effect on the guarantees provided by the BCRs.

When to choose BCRs over IDTA or UK Addendum

BCRs are the preferred Article 46 safeguard for multinational groups making high-volume, repeated intra-group transfers where the group has a significant number of affiliates in non-adequate countries; the group wishes to centralise the transfer mechanism and compliance obligations in a single, group-wide policy rather than negotiating bilateral IDTAs or UK Addenda with each affiliate; or the group operates shared IT systems, centralised HR processing, or global customer-relationship-management platforms that involve continuous flows of personal data among group members.

Controllers and processors making ad hoc or one-off transfers to third-party recipients outside the group, or making transfers to a small number of group affiliates, will usually find the IDTA or UK Addendum faster and simpler to implement, as those mechanisms do not require ICO approval and can be executed immediately.

Interaction with adequacy regulations and other safeguards

Where a restricted transfer from the UK is destined for a third country covered by UK adequacy regulations under Article 45A, the exporter does not need to rely on BCRs (or any other Article 46 safeguard) for that transfer. BCRs are relevant only for transfers to countries or sectors not covered by adequacy. If an organisation holds approved UK BCRs but also makes transfers to third-party recipients outside the group, those third-party transfers require a separate Article 46 safeguard (typically an IDTA or UK Addendum with the third-party recipient) or reliance on an Article 49 derogation.

Source: UK General Data Protection Regulation, Article 46(2)(b) Source: UK General Data Protection Regulation, Article 47 (as amended by Data (Use and Access) Act 2025, Schedule 7 paragraph 7) Source: Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026 (S.I. 2026/82) Source: ICO, Guide to Binding Corporate Rules Source: ICO, What are binding corporate rules?

Binding corporate rules (BCRs) are an Article 46(2)(b) appropriate safeguard that multinational groups may use to authorise transfers of personal data from the UK to third countries within the same corporate group or group of enterprises engaged in a joint economic activity. Article 47 of the UK GDPR, as amended by the Data (Use and Access) Act 2025, provides the statutory framework for BCRs. The Information Commissioner's Office (ICO) describes BCRs as the "gold standard" transfer mechanism because they demonstrate the group's commitment to implementing comprehensive data-protection safeguards across its global operations. Unlike the UK International Data Transfer Agreement (IDTA) or the UK Addendum, which are bilateral contracts between two entities, a BCR is a single binding instrument that governs all intra-group transfers from the UK to third countries, reducing the administrative burden for groups that make many such transfers.

Statutory definition and scope — Article 4(20) and Article 47(1)

Article 4(20) UK GDPR defines "binding corporate rules" as personal data protection policies which are adhered to by a controller or processor established in the UK for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. The scope covers both controller BCRs (UK BCR-C) for intra-group controller-to-controller transfers and processor BCRs (UK BCR-P) for intra-group processor-to-processor transfers or processor-to-controller transfers.

Article 47(1) UK GDPR provides that the Information Commissioner shall approve binding corporate rules, provided that they meet three conditions: (a) they are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; (b) they expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and (c) they fulfil the requirements laid down in Article 47(2).

Article 47(2) mandatory content requirements

Article 47(2) UK GDPR sets out thirteen mandatory elements that BCRs must contain. Controllers and processors preparing BCRs for ICO approval must address each element in the BCR policy, the binding instrument, or the application form. The mandatory requirements are:

• (a) Structure and contact details — the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity, and of each of its members;

• (b) Data transfers — the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or third countries in question;

• (c) Legally binding nature — their legally binding nature, both internally and externally;

• (d) Data protection principles — the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

• (e) Data subject rights — the rights of data subjects in regard to processing and the means to exercise those rights, including the right to protection in accordance with Articles 22A to 22D (automated decision-making, as amended by the Data (Use and Access) Act 2025), the right to make a complaint to the controller under section 164A of the Data Protection Act 2018, the right to make a complaint to the Commissioner under section 165 of the 2018 Act, the right to lodge a complaint with a court in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

• (f) Liability and third-party beneficiary rights — the acceptance by the controller or processor established in the United Kingdom of liability for any breaches of the binding corporate rules by any member concerned not established in the United Kingdom; the controller or processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

• (g) Data protection responsibilities — how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of Article 47(2) is provided to the data subjects in addition to Articles 13 and 14;

• (h) DPO or compliance function — the tasks of any data protection officer designated in accordance with Article 37 or of any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint handling;

• (i) Complaint procedures — the complaint procedures;

• (j) Change and update mechanisms — the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the Commissioner;

• (k) Data subject information and cooperation — the mechanisms for reporting and recording changes to the rules and reporting those changes to the Commissioner;

• (l) Cooperation with supervisory authority — the cooperation mechanism with the Commissioner to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to data subjects the results of verifications of the measures referred to in point (j);

• (m) Reporting conflicting legal requirements — the mechanisms for reporting to the Commissioner any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

• (n) Data protection training — the appropriate data protection training to personnel having permanent or regular access to personal data.

ICO approval pathways — traditional UK BCR application or UK BCR Addendum

The ICO offers two distinct pathways for obtaining a UK BCR approval, depending on whether the group already holds an approved EU BCR:

Traditional UK BCR application Groups without an existing EU BCR, or groups that prefer a standalone UK BCR, must submit a comprehensive application pack to the ICO comprising (i) a completed application form; (ii) a BCR Policy document (which the ICO expects the group to publish in full to provide data subjects with key Article 47 information about their data and its transfers); (iii) a binding instrument (such as an intra-group agreement or IGA) that is legally binding on all group members and confers enforceable third-party beneficiary rights on data subjects; (iv) a completed ICO UK BCR Referential Table indicating where in the documentation each Article 47(2) requirement is met; and (v) any supporting policies, procedures, or audit reports. The ICO's detailed controller guidance and processor guidance, each comprising 11 and 13 sections respectively, set out the ICO's expectations for each element. The ICO states that it will seek assurances during the approval process that the UK entity (or entities, in an exporting entity model where multiple UK legal entities transfer under the same BCR with separate liability models) has or can call on sufficient assets to meet liabilities under the BCR.

UK BCR Addendum Groups that already hold an approved EU BCR may apply for a UK BCR by adding the UK BCR Addendum (version C.1.0, issued 19 December 2023) onto the approved EU BCR, together with a UK BCR Summary providing information to data subjects (and, for processor BCRs, to third-party exporters). The UK BCR Addendum incorporates and extends the scope of the EU BCR to include UK restricted transfers, and becomes the UK binding instrument enforceable in the UK. The ICO states that the Addendum "contains all relevant provisions of Article 47 UK GDPR, meaning that your EU BCR will work in the UK." This pathway avoids unnecessary duplication for groups that seek both EU and UK BCR approvals.

Transfer risk assessment — mandatory even with approved BCRs

The ICO guidance confirms that relying on a UK BCR does not eliminate the requirement to conduct a transfer risk assessment (TRA) for each restricted transfer or type of transfer. A group may make a restricted transfer within its approved UK BCR only if (i) both the exporter and the receiver are part of the group's approved UK BCR, and (ii) the exporter (or the group on behalf of its members) has completed a TRA to ensure that the standard of protection for people's information is not materially lower after the transfer. The ICO recognises that in practice the group may have completed a single overarching TRA that covers multiple restricted transfers of the same type, rather than conducting a fresh TRA for each individual transfer.

The TRA requirement for BCRs flows from the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, judgment of 16 July 2020, known as "Schrems II"), which the ICO confirms remains applicable to the UK. The ICO controller guidance and processor guidance both emphasise the importance of Schrems II and the necessity of undertaking a TRA as one of the overarching principles of Article 47 UK GDPR. Where the TRA identifies conflicting legal requirements in the third country — for example, government surveillance laws or law-enforcement data requests that would override the BCR's data-subject-rights protections — the group must implement supplementary technical or organisational measures (such as encryption, pseudonymisation, or contractual commitments to challenge requests), or suspend or refrain from making the transfer if the BCR can no longer deliver appropriate safeguards. Article 47(2)(m) obliges the group to establish mechanisms for reporting such conflicting legal requirements to the ICO.

Post-approval obligations and ongoing monitoring

Once the ICO approves a UK BCR, the group must maintain ongoing compliance with the BCR's terms and Article 47(2) requirements. The BCR must include mechanisms for data protection audits, corrective actions, and verification of compliance (Article 47(2)(j)), and the group must report changes to the BCR to the ICO (Article 47(2)(k)). The ICO expects the group to cooperate with the ICO to ensure compliance by all group members and to make audit results available to data subjects upon request (Article 47(2)(l)). The ICO guidance notes that approved BCRs remain subject to ongoing ICO oversight and review, and the Commissioner retains the power under Article 58 UK GDPR to order suspension of data flows or to impose administrative fines under Article 83 if the BCR is breached or if the group fails to maintain the required standard of protection.

BCRs approved under UK GDPR

The ICO maintains a public list of BCRs approved under UK GDPR. As of June 2026, the list includes multinational groups across sectors including technology, telecommunications, and financial services. Organisations holding EU BCRs that were authorised under Directive 95/46/EC (the predecessor to the EU GDPR) were automatically eligible for a UK BCR under paragraph 9, Part 3, Schedule 21 to the Data Protection Act 2018 (as amended from 1 January 2021), subject to producing a UK version of their BCRs incorporating the changes required by Brexit and providing the amended documentation to the ICO.

Source: UK General Data Protection Regulation, Article 47 (as amended by Data (Use and Access) Act 2025, Schedule 7 paragraph 7) Source: UK General Data Protection Regulation, Article 4(20) (definition of binding corporate rules) Source: ICO, Guide to Binding Corporate Rules Source: ICO, UK BCR Addendum Source: Data Protection Act 2018, Schedule 21 paragraph 9 (transitional provision for EU BCRs)

Multinational corporate groups and groups of undertakings engaged in joint economic activity may rely on binding corporate rules (BCRs) approved by the Information Commissioner's Office (ICO) under Article 46(2)(b) of the UK GDPR to transfer personal data to third countries or international organisations within the group without the need for UK adequacy regulations or a contract-based safeguard such as the IDTA or UK Addendum. BCRs are particularly suited to organisations that make repeated intra-group transfers to group entities located in non-adequate countries, because once the ICO approves the BCR, the group may make restricted transfers between BCR Members under a single approved governance framework rather than executing bilateral contracts for each transfer.

Statutory basis — Article 46(2)(b) and Article 47 UK GDPR

Article 46(2)(b) UK GDPR recognises "binding corporate rules approved in accordance with Article 47" as an appropriate safeguard for restricted transfers. Article 47(1) provides that the competent supervisory authority (the ICO) shall approve BCRs provided they satisfy the conditions laid down in Article 47(2). Article 47(2) requires that BCRs be legally binding and enforced by every member of the group, that they expressly confer enforceable rights on data subjects with regard to the processing of their personal data, and that they fulfil the requirements set out in Article 47(2)(a) to (m). Those requirements include specification of the structure and contact details of the group, a description of the data flows, the general data protection principles (especially purpose limitation, data minimisation, and limited storage periods), the rights of data subjects (access, rectification, erasure, and objection under Articles 15 to 22), mechanisms for ensuring compliance (including data-protection training for personnel and audit procedures), liability for breaches, procedures for handling complaints by data subjects, and arrangements for cooperation with the ICO.

ICO approval process — Article 58(3)(j) UK GDPR and application requirements

The ICO approves UK BCRs under the power conferred by Article 58(3)(j) UK GDPR (authorising and advisory powers). The ICO has published detailed guidance, application forms, and a referential table for both controller BCRs (UK BCR-C) and processor BCRs (UK BCR-P). The updated guidance (published August 2023) reflects the Court of Justice of the European Union's Schrems II judgment (Case C-311/18, 16 July 2020), which the ICO treats as applicable to the UK regime. The ICO guidance states that "a fundamental change to the approval process is the revision of the referential table" and that applicants "must understand and demonstrate your understanding of the spirit and intent behind Article 47 in your policies and procedures."

A UK BCR application pack consists of:

• Application form — the ICO provides a standardised form for UK BCR-C or UK BCR-P; separate applications are required for controller and processor BCRs even if the same group is applying for both.

• Binding instrument (also known as the intra-group agreement or IGA) — a legally binding contract between all BCR Members. The ICO guidance (updated August 2023) states that the ICO expects the binding instrument to ensure "effective and enforceable rights" and that nominated UK legal entities "either has or can individually call on sufficient assets to remedy any breach of the UK BCRs."

• BCR Policy — a published document setting out the key Article 47 information for data subjects. The ICO guidance states that "this is the document we expect you to publish in full" and that it "provides people with the key Article 47 information they need about their data and its transfers under the UK BCRs."

• Referential table — a completed ICO UK BCR Referential Table (version 2.0 or later) indicating where in the application form, BCR Policy, and binding instrument each Article 47 requirement is met.

• Supporting documentation — copy policies and procedures that demonstrate compliance with the commitments made in the BCR.

The ICO will review the application and, if satisfied that the Article 47 requirements are met, will decide whether to approve the rules and notify the controller or processor of that decision under Schedule 21, paragraph 9(5) DPA 2018.

Transfer risk assessment (TRA) requirement

Even where a group has ICO-approved BCRs, the ICO guidance states that "you can make a restricted transfer within your group if: both you and the receiver are part of your group's approved UK BCR; and you've completed a TRA to make sure the standard of protection for people's information is not materially lower after you transfer it." This aligns with the post-Schrems II requirement that exporters relying on any Article 46 safeguard must assess whether the legal or practical environment in the destination country undermines the effectiveness of the safeguard. The ICO's updated Controller and Processor guidance both list "the impact of Schrems II and the importance of undertaking a transfer risk assessment" as an overarching principle.

UK BCR Addendum — simplified approval for groups with existing EU BCRs

Multinational groups that already hold an approved EU BCR (approved by a European Data Protection Authority under EU GDPR Article 47) may apply for approval of a UK BCR using the UK BCR Addendum, a modular template published by the ICO. The ICO guidance states that "the UK BCR Addendum will become the UK binding instrument, ensuring that the UK BCR is enforceable in the UK. It contains all relevant provisions of Article 47 UK GDPR, meaning that your EU BCR will work in the UK."

The UK BCR Addendum comprises three parts: Part 1 confirms the existence of an approved EU BCR and explains how the Addendum forms a UK BCR meeting Article 47 requirements; Part 2 comprises four tables (start date and Lead UK BCR Member, documents forming the approved EU BCR, selection of options such as type of BCR and applicable UK laws, and dispute resolution); and Part 3 contains the substantive mandatory clauses.

The group must submit the UK BCR Addendum, the approved EU BCR documents (including the EU BCR policy and binding instrument), and a new UK BCR Summary aimed at data subjects. The ICO guidance states "you must create a new UK BCR Summary document" and "we expect you to make your UK BCR Summary concise and easy to read." The ICO will review the content of the UK BCR Summary as part of the approval process. The group must publish the UK BCR Summary alongside the EU BCR summary after ICO approval.

Groups using the UK BCR Addendum do not need to complete a full application form or referential table. The ICO guidance notes that "we expect all BCR Members to sign the Addendum as this is structured as an intragroup agreement" and that "you can only use the UK BCR Addendum as an international transfer mechanism from the date that the last BCR Member signs it."

Transitional provisions for legacy EU BCRs — Schedule 21, paragraph 9, DPA 2018

Schedule 21, Part 3, paragraph 9 of the Data Protection Act 2018 provides that any binding corporate rules authorised by the ICO which, immediately before IP completion day (31 December 2020), provided appropriate safeguards under EU GDPR Article 46(1), continue to provide appropriate safeguards under UK GDPR Article 46 on and after IP completion day. Paragraph 9(3) permits the group to incorporate Brexit-related changes without triggering a fresh approval, provided (a) all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU and (b) none of the changes alters the effect of the rules. Paragraph 9(4) provides that the following changes are to be treated as falling within subparagraph (3)(a) and (b): changing references to adequacy decisions made by the European Commission into references to equivalent UK provision, and changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom. Paragraph 9(5) provides that the transitional arrangements cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules.

Groups relying on paragraph 9 transitional arrangements may at any time submit a fresh UK BCR application or adopt the UK BCR Addendum to align their UK BCR with their current EU BCR.

Operational comparison — BCRs, IDTA, and UK Addendum

BCRs, the IDTA, and the UK Addendum are all Article 46 appropriate safeguards and are legally equivalent for UK GDPR compliance. The choice between them is operational. BCRs are designed for intra-group transfers within a multinational corporate group; they are not suitable for transfers to third-party processors or controllers outside the group. The IDTA and UK Addendum work for transfers to any third party, whether intra-group or external. For an organisation that makes frequent intra-group transfers to non-adequate countries, BCRs offer administrative simplicity; for transfers to external service providers or business partners, the IDTA or UK Addendum is the appropriate mechanism. All three require a transfer risk assessment and, where necessary, supplementary measures.

Source: UK General Data Protection Regulation, Article 46(2)(b) Source: Data Protection Act 2018 (c. 12), Schedule 21, Part 3, paragraph 9 Source: ICO, Guide to Binding Corporate Rules — (B) Controller - Traditional UK BCR application process Source: ICO, What are binding corporate rules? Source: ICO, (A) UK BCR Addendum