Data transfers to 3rd countries

If the headquarter of the organization is in the United Kingdom, then UK GDPR would apply mainly. According to article 3 – Territorial scope – from EU GDPR, the Regulation would apply only if the company would offer goods or services to people in EEA, or if it monitors the behavior of people in EEA. If the data is stored in Serbia, then a transfer takes place from the UK to Serbia. According to UK GDPR, which is almost the same as EU GDPR (with EU references removed), a suitable transfer mechanism should be used for compliant personal data transfer. In this case, the best transfer mechanism would be UK Standard Contractual Clauses. ICO, UK’s Data Protection Authority issued some new SCCs, called IDTAs (International Data Transfer Agreement) that can be used starting March 21, 2022.

You could explore developing Binding Corporate Rules (BCRs) for intra-group personal data international transfers, but they need to be approved by the supervisory authority (ICO in this case).

Please consult these links to find more details:

• Article 3 EU GDPR: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Chapter 5 GDPR: Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• ICO UK IDTAs (International Data Transfer Agreements): https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
• ICO BCRs (Binding Corporate Rules): https://ico.org.uk/for-organisations/binding-corporate-rules/