Using personal data in your business or other organisation

What action you need to take regarding data protection and data flows with the EU/EEA.

This information is for UK businesses and other organisations that:

  • receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
  • operate in the EEA

Further information can be found on the Information Commissioner’s Office’s (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.

What personal data is

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Receiving personal data from the EU/EEA and third countries which have EU adequacy decisions

The EU has now formally adopted ‘adequacy decisions’ for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK.

All 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK. Further information can be found on the ICO’s website.

Personal data flows from the UK

There are no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.

For international data transfers from the UK to other jurisdictions, Further information can be found on the ICO’s website.

Data protection and GDPR

The UK’s data protection regime is set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner is the UK’s independent supervisory authority on data protection.

Published 31 December 2020
Last updated 28 June 2021 
Share this article