Data protection legislation prohibits the transfer of personal data to countries outside the European Economic Area (EEA) unless:
- The country in question has been deemed by the European Commission to provide an adequate level of protection for personal data; or
- One of the mechanisms set out in the legislation has been put in place applies, e.g. where one of the ‘appropriate safeguards’ listed in data protection legislation has been put in place or a specific exception applies (see attached note for further detail on this point).
These restrictions are in place because countries outside the EEA are deemed not to provide an adequate level of protection for personal data.
This note explains the restrictions applicable to transfers outside the EEA and the steps that UCL staff must take in order to ensure that any transfers comply with data protection law. It is designed to be read in conjunction with the other data protection guidance available on our website.