Transferring your personal data outside of the UK 

It is unlikely that we’ll ever share your personal data outside the UK or the EU. If, however, it becomes necessary we will only share it with organisations in countries: 

  1. Where the UK or European Commission have said the country is ‘adequate’ (this means countries that have a similar level of data protection law as we have in the UK) – the UK and EU are ‘adequate’ for each other;  
  1. On the basis of an International Data transfer Agreement (IDTA) or European Commission Standard Contractual Clauses (SCCs) with an addendum required by the UK (both of these are contracts which require the organisation to use and protect your personal data to the standard we expect within the UK); or 
  1. On the basis of a supplier sharing data to another of their offices located outside the UK and EU and they have implemented contractual arrangements call ‘Binding Corporate Rules’. (These need to be verified by data protection regulators and do not allow an organisation to share data outside of their contracted network of suppliers and their own offices). 

All suppliers that use personal data on our behalf have an agreement in place with us no matter where the data is going. This is known as a Data Processing Agreement.