UK GDPR

The UK General Data Protection Regulation

Please note: this resource is in the process of being updated to reflect changes made by regulations taking effect on 5 February 2026

Art. 46 GDPR Transfers subject to appropriate safeguards

[Removed]
A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only—
1. in a case in which—
  1. safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and
  2. the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or
2. in a case in which—
  1. safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and
  2. each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).
The safeguards referred to in paragraph 1A(a) may be provided for, without requiring any specific authorisation from the Commissioner, by:
1. a legally binding and enforceable instrument between a public body and another relevant person or persons;
2. binding corporate rules approved in accordance with Article 47;
3. standard data protection clauses specified in regulations made by the Secretary of State under Article 47A(1) and for the time being in force;
4. standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
5. an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the safeguards provided by the code, including as regards data subjects' rights; or
6. an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
With authorisation from the Commissioner, the safeguards referred to in paragraph 1A(a) may also be provided for, by:
1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
2. provisions to be inserted into administrative arrangements between a public body and another relevant person or persons which include enforceable and effective data subject rights.
[…]
[…]
For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—
1. this Regulation,
2. Part 2 of the 2018 Act, and
3. Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies.
In this Article—
1. references to the protection provided for the data subject are to that protection taken as a whole;
2. “relevant person” means a public body or another person exercising functions of a public nature.

Corresponding Recitals

108 /uk-gdpr/recital/no-108Appropriate Safeguards
109 /uk-gdpr/recital/no-109Standard Data Protection Clauses

In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

View Recital

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

View Recital

Prev. Article

View All

Further Information

This version of the UK GDPR is offered purely as what we hope will be a helpful resource. It does not have the status of law, and should not be relied on as such. Nor do we guarantee it is free from errors. It was originally prepared using a Keeling Schedule made available by the UK Government.

Since then, a consolidated version has also been made available on the legislation.gov.uk pages.

By virtue of section 3 of the European Union (Withdrawal Act) 2018, the GDPR (Regulation (EU) 2016/679) was retained in United Kingdom law as "direct EU legislation". However, the effect of the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020, was, from 1 January 2021, immediately to make changes to the retained GDPR, and to refer to it as the "UK GDPR". These pages reflect those changes.

This resource includes links to the GDPR recitals. The explanatory notes to the European Union (Withdrawal Act) 2018 confirm that where legislation is converted under section 3, it is the text of the legislation itself which will form part of domestic legislation, and this will include the full text of any EU instrument (including its recitals). Accordingly, recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule. However, it stands to reason that – as the recitals themselves have not been amended – they will in places contain language and references to EU bodies and rules which no longer apply to the UK.

In this resource we link Articles of the UK GDPR to the corresponding recitals. In deciding which recitals correspond to which Articles of UK GDPR, we have drawn on the working document of the EU GDPR which the Information Commissioner had previously published in 2017.

Downloads

Working document of the EU GDPR published 2017 and archived on the National Archives website

Contacts

Adam Rose Partner

Jon Baines Senior Data Protection Specialist (non-lawyer)