Data Protection Network
CONTACT US
NEWSLETTER

Is it an International Data Transfer? New 3-step test

Philippa Donn
January 2026

The rules on international data transfers can be difficult to get your head around. So, it’s great the ICO has published updated guidance which focuses on providing clarity and real-world examples. There are no big surprises, but the guidance is well worth a read to refresh your knowledge and enhance your internal procedures.

Just a word of caution; if you are subject to EU GDPR there are some nuanced differences in the approach taken by the UK regulator in comparison to the European Data Protection Board.

I’m going to home in on the new test the ICO has developed to identify if you’re making a ‘restricted transfer’ and are thereby responsible for complying with the rules. This is certainly an area which can cause confusion. Just to recap, if your organisation is responsible for a restricted transfer you must make sure that transfer is covered by:

UK adequacy regulations;
appropriate safeguards; or
an exception.

And before we get stuck in, let’s highlight a few key points… any text in italics is lifted from the ICO guidance:

‘transfer’ means both sending personal information to a separate organisation outside the UK and making personal information accessible to a separate organisation e.g. by allowing remote access to your systems.
Transfer doesn’t mean the same as transit. If personal information is just electronically routed through a country outside the UK, but the transfer is actually from one UK organisation to another, then it’s not a restricted transfer.
Transfers of personal information to the UK aren’t restricted transfers under UK GDPR. A restricted transfer is when the transfer is outbound not inbound.

3-step test

If you answer yes to all of the following three questions, you’ll be making a restricted transfer and must comply with the rules:

1. Does the UK GDPR apply to our processing of the personal information we’re transferring?
2. Are we initiating the transfer of personal information to an organisation outside the UK?
3. Is the organisation we’re transferring the personal information to a separate legal entity from us?

Step One: Does the UK GDPR apply to our processing of the personal information we’re transferring?

This step helps organisations to understand if their activities are governed by UK GDPR.

The UK GDPR applies if:

your organisation is established within the UK, meaning it has a stable UK presence and carries out real and effective activities in the UK, and your processing is carried out by (or inextricably linked to) that establishment; or

another part of your corporate group outside of the UK is processing the information, and that processing is inextricably linked to your UK establishment; or

your organisation is located outside the UK and your processing of personal information is related to:

– an offering of goods and services to data subjects in the UK (this must specifically target the UK); or
– the monitoring of data subjects’ behaviour in the UK.

The UK GDPR doesn’t apply if you only use personal information for purely personal, family or household reasons. For example, this could include personal correspondence and blogs or social media activity with no connection to a professional or commercial activity.

Step two: Are we initiating the transfer of personal information to an organisation outside the UK?

The ICO recognises data flows can be complex and may involve a number of different organisations. Either a controller or a processor can be responsible for compliance with the transfer rules, but never both. So whether an organisation is a controller, joint controller, processor or sub-processor needs to be established to confirm which party must comply with the rules. The ICO says this comes down to who initiates the transfer.

The party which initially chooses to make a transfer happen, will be the organisation which initiates it. The ICO’s rule of thumb: you’re not initiating the transfer if you didn’t design the transfer structure or architecture, nor initially chose the receiver.

Follow the contractual relationship not the data flow – it’s not who transfers the data, it’s who initiates it.

Initiating a transfer is different from authorising it. While a controller may ‘authorise’ a processor to use specific sub processors it doesn’t ‘initiate’ the transfer of personal data by its processors to their sub processors.

Focus on the contractual location not the geographical location of the information itself. Where is the receiving organisation based? What country is the recipient organisation registered in? What does the contract say?

If you answer yes to any of the following questions you’ll be initiating the transfer:

Are you a controller transferring personal data to your processor located outside the UK? E.g. you use an IT supplier based in India who has remote access to your systems.

Are you a processor located in the UK and transferring personal information to one of your sub-processors located outside the UK? E.g. you are an IT supplier based in the UK who uses other overseas parties to provide your services.

Are you a controller with separate contracts with two processors, and you instruct one processor to transfer controller personal data to the other processor?

Are you a service provider, acting as a processor who engages multiple parties to provide a service package for your client, and transfer controller data to those other parties?

The ICO stresses even if you aren’t initiating the restricted transfer, you may still have contractual and UK GDPR obligations for that transfer.

Important note: UK processors and their overseas controllers

If you’re a UK processor and your controller is located outside the UK, you’re never making a restricted transfer when you transfer information to your controller, providing you’re:

only handling the personal information as a processor under the instructions of your controller; and
transferring the personal information to the same controller that instructed you to do the processing.

This is because in this situation your controller is initiating the transfer, ie your controller instructs you to transfer the information to it. It’s also not a restricted transfer by your controller as the information is flowing to the controller itself, and not to a separate organisation.

The ICO says the same principles apply for sub-processors based in the UK where data is being transferred to their processor outside the UK.

BUT if you fall under the scope of EU GDPR, the guidance from the European Data Protection Board differs in this respect, and these would be considered ‘restricted transfers’ by EU processors or sub processors.

Step three: Is the organisation we’re transferring the personal information to a separate legal entity from us?

A supplier acting as a processor for a controller will be a separate legal entity. Companies within the same corporate group will often be separate legal entities too.

A restricted transfer will not be deemed to take place when you allow personal information to be accessed by a member of staff who is located overseas, where they are employed by the same legal entity.

And there you have it a 3-step test to get you on the right path!

While I’ve just picked up on the 3-step test which I think is useful to help organisations establish who needs to comply with the international data transfer rules, there’s plenty more detail to mull over. The ICO has split its guidance into a brief guide and detailed guidance. And that’s not all – there’s the promise of more guidance, examples and case studies to come.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.
Data Protection Network