Data protection laws limit our ability to transfer personal data outside the countries within the UK and countries, such as the those within the European Economic Area, which are subject to an adequacy decision (Restricted Transfers) (i.e. the countries which are subject to the same or very similar data protection laws). This is to help ensure that a consistent level of data protection applies to your data at all stages of processing, and that you are not exposed to additional privacy risks through the transfer of your data. Restricted Transfers are only permitted in certain circumstances. Where such Restricted Transfers are necessary, we ensure that we have appropriate safeguards in place.
There may be a Restricted Transfer of your personal data outside the UK in the following circumstances:
- Where we use a cloud-based IT system to hold your data, and the data in the cloud is stored on servers located outside the UK in a country which is not subject to an adequacy decision. In these circumstances we safeguard your data through undertaking appropriate checks on the levels of security offered by the cloud provider and entering into a contract with them which applies protections of the same type and level required by data protection laws within the UK;
- Where you are based outside the UK in a country which is not subject to an adequacy decision, and we need to send you emails or other communications which are necessary for the performance of our contract with you or for implementing pre-contractual measures which you have asked us to take (e.g. processing your application or enquiry). In these circumstances the data protection laws say that transfer is permitted; or
- With your consent.