ScHARR Information Governance

Policy Section 7: International Data Transfers

Version 18/03/31


This policy applies to all ScHARR staff, with particular importance for those who work with risk-bearing data.

In accordance with Article 44 of General Data Protection Regulations (GDPR) (see the ICO Guide for practical applications) and the European Parliament and Council Directive 95/46/EC, any risk- bearing data may not be transferred to locations outside the European Economic Area (EEA) unless the receiving organisation is in a position to guarantee the security rights of the data subjects to a satisfactory standard.


In addition to the considerations listed in Section 6:
Prior to any data transfer outside the EEA the Section IG Lead must be consulted.

  • Depending on the complexity of the case it may be necessary to seek more detailed advice from the University’s Research Services or from the Information Commissioner’s Office.
  • If the recipient country is not on the list of approved destinations it may be necessary to draft specific contractual guarantees with respect to confidentiality. This should be dealt with on a case by case basis. (For a current list of other countries considered to have an adequate level of protection see

  • Data that has been anonymised, or subjected to strong pseudonymisation, may usually be transferred to locations outside the EEA without restriction as neither the GDPR article nor the EU directive apply.
  • Data transfers to any location are permitted when the data subject or subjects have given unambiguous, free and informed consent for the transfer to take place. (This is a defined “derogation” listed in Article 26(1) of the European Parliament and Council Data Protection Directive

  Further Information

Information Commissioner’s Office
European Union Commission website pages dealing with international data transfers

Section 8: Data processing by third parties