UK adequacy decision: inbound EU-to-UK transfer compliance
In short: The UK adequacy decision for inbound EU personal data was renewed by the European Commission on 19 December 2025 and runs to 27 December 2031. UK controllers should rely on it as the primary inbound transfer mechanism but maintain Standard Contractual Clauses and IDTA fallback documentation against the Commission’s monitoring conditions and the staged commencement of the Data (Use and Access) Act 2025.
For UK businesses receiving personal data from the EU, the UK adequacy decision is the simplest route to lawful inbound transfers. The European Commission renewed adequacy on 19 December 2025 and the recognition now runs to 27 December 2031. The renewal removes the immediate question of whether Standard Contractual Clauses or the International Data Transfer Agreement are needed for EU-to-UK flows. It does not remove the question of whether those mechanisms should be kept alive in contractual documentation as a fallback. The Commission’s monitoring conditions, the staged commencement of the Data (Use and Access) Act 2025 and the prospect of further UK reform mean the operational compliance position is contingent, not closed. We covered the broader divergence picture in our explainer on UK and EU data protection divergence and the DUAA enforcement framework in DUAA takes effect: ICO enforcement.
The legal framework for the UK adequacy decision
The Commission’s adequacy power sits in Article 45 of the EU GDPR. Article 45 lets the Commission decide that a third country ensures an adequate level of protection, with the consequence that personal data may flow to that country without the additional safeguards required by Article 46. The original UK adequacy decision was Implementing Decision (EU) 2021/1772, adopted on 28 June 2021. It carried a four-year sunset to 27 June 2025, reflecting European Parliament concerns about the post-Brexit divergence trajectory.
On 24 June 2025 the Commission adopted Implementing Decision (EU) 2025/1226, a six-month bridging extension that took adequacy from 27 June 2025 to 27 December 2025. The bridge gave the Commission time to assess the DUAA 2025 reforms before deciding on a full renewal. On 19 December 2025 the Commission adopted Implementing Decision (EU) 2025/2574, which renews adequacy under the EU GDPR through to 27 December 2031. A parallel decision under the Law Enforcement Directive runs in tandem.
On the UK side, the inbound and outbound international transfer regime sits in Chapter V of the UK GDPR and in Part 2 Chapter 5 of the Data Protection Act 2018. The DUAA 2025 has restructured this. Schedule 7 inserts new Articles 45A and 47A directly into the UK GDPR for adequacy regulations and standard data protection clauses, and Schedule 9 makes the consequential transitional provisions so that regulations made under DPA 2018 ss 17A and 17C continue under those new UK GDPR articles. Citations made under the old DPA section numbers therefore need to be read across to the new UK GDPR Article numbers as the staged commencement progresses.
What the renewed UK adequacy decision does and does not do
The renewed UK adequacy decision addresses one direction of travel: personal data moving from the European Economic Area into the UK. EU and EEA controllers can rely on the decision to transfer personal data to UK-established controllers and processors without an Article 46 safeguard. The decision does not address the reverse direction. UK-to-EEA transfers are governed by UK adequacy regulations, under which the EEA states are treated as adequate; that regime is separate, and is not affected by the Commission’s December 2025 renewal.
The renewal does not freeze the legal position. The Commission has retained its monitoring obligation, and the EDPB Opinion 26/2025 on the draft renewal identified three monitoring stress points. The first is the surveillance regime under the Investigatory Powers Act 2016, where the EDPB asked the Commission to monitor the application in practice of national security exemptions. The second is automated decision-making under new UK GDPR Articles 22A to 22D, which DUAA 2025 has substituted for the previous Article 22; we examined the new UK regime in automated decision-making and the DUAA UK regime. The third is any further UK divergence on lawful basis or transfer rules, particularly under the recognised legitimate interests provisions, which we covered in recognised legitimate interests: DUAA UK and EU divergence.
The terminology has also shifted. A transfer risk assessment, the previous label for the destination-country surveillance and access analysis required when a UK controller relies on the IDTA or UK Addendum for outbound transfers, is now defined in UK legislation as a “data protection test”. The substantive question is whether the standard of protection in the destination country is “not materially lower” than in the UK after the transfer. The ICO updated its international transfers guidance in January 2026 to reflect the new vocabulary and a streamlined three-step framework for identifying restricted transfers.
Operational implications for UK controllers
For UK-established controllers receiving EU personal data, the practical position has four limbs.
First, adequacy is the primary mechanism. EU exporters can transfer to UK importers without SCCs or any other Article 46 instrument. Existing data processing agreements that bolted on the EU SCCs solely as a transfer mechanism for EU-to-UK flows may now be over-engineered for the operational position. The contractual fix is straightforward: keep the SCCs in the agreement but document that they are present as a fallback, not as the active transfer mechanism.
Second, the fallback discipline matters. The cost of maintaining SCC or IDTA fallback language inside a data processing agreement is small. The cost of building it under time pressure if a future suspension materialised would be material. The skill we developed when the original adequacy decision was first negotiated, set out in our analysis of standard contracts for personal data export, has not been retired. It is on the bench.
Third, the documentation needs updating. Article 30 of the UK GDPR (as retained in UK law) requires controllers and processors to maintain records of processing activities including, where applicable, the transfers of personal data to third countries and the safeguards relied on. Records that still cite the original 2021 decision should be updated to refer to the renewed decision and its 2031 horizon. Data protection impact assessments that identified inbound EU-to-UK transfers as the principal risk driver should be reviewed; in many cases the residual risk now sits in the monitoring conditions rather than in the transfer mechanism itself.
Fourth, the sectoral overlay continues to apply. Payment service providers and e-money issuers operate the inbound EU-to-UK flow inside the wider regulatory architecture of the Payment Services Regulations 2017 and the FCA outsourcing rules. Adequacy resolves the UK GDPR transfer question; it does not displace contractual data protection obligations between an EU principal and its UK service provider, FCA expectations on outsourced processing, or operational resilience rules under the FCA Handbook and DORA equivalents. Telecoms operators with EEA customers face the same point in respect of PECR and the FCA-equivalent regulatory overlay in their sector.
Comparison: transfer mechanisms after the UK adequacy decision renewal
| Mechanism | Direction | Active or fallback after the renewal | Source |
|---|---|---|---|
| Adequacy decision | EU-to-UK | Active primary mechanism to 27 December 2031 | EU GDPR Article 45; Decision (EU) 2025/2574 |
| EU SCCs | EU-to-UK | Fallback; not required while adequacy is in force | EU GDPR Article 46(2)(c); Decision (EU) 2021/914 |
| UK adequacy regulations on the EEA | UK-to-EEA | Active primary mechanism | UK GDPR Article 45A (as inserted by DUAA 2025 Sch 7) |
| IDTA and UK Addendum | UK-to-non-adequate third country | Active where no adequacy applies | UK GDPR Article 47A; ICO IDTA |
| Binding corporate rules | Intra-group, both directions | Active where approved | UK GDPR Article 47; EU GDPR Article 47 |
| Article 49 derogations | Either | Narrow, occasional only | UK GDPR Article 49; EU GDPR Article 49 |
Viewpoint
The renewal is a six-year breathing space, not a settlement. Two issues to watch over the planning horizon. The first is the IPA 2016 surveillance regime: the EDPB has flagged it for monitoring and the political climate around national security access in third countries has not become calmer since 2021. The second is the DUAA 2025 implementation trajectory, in particular the new Articles 22A to 22D on automated decision-making and the recognised legitimate interests grounds. If the practical operation of those provisions diverges meaningfully from the EU GDPR, the Commission’s monitoring will pick that up.
The operational lesson from the four years of post-Brexit adequacy practice is that contractual discipline does not get easier when the regulatory baseline shifts. Controllers that retired their SCC fallback language entirely after 28 June 2021 found themselves rebuilding it in May and June 2025 when the original sunset approached. Keeping the fallback alive costs little. Suspending it and rebuilding under pressure costs more.
Frequently asked questions
When does the renewed UK adequacy decision expire?
The renewed UK adequacy decision under the EU GDPR was adopted on 19 December 2025 and will expire on 27 December 2031 unless renewed earlier. A parallel decision under the Law Enforcement Directive runs in tandem. The Commission monitors the UK regime on an ongoing basis and may suspend or repeal the decision before 27 December 2031 if the standard of protection ceases to be essentially equivalent.
Do UK controllers still need SCCs or the IDTA after the renewal?
For inbound EU-to-UK transfers, no SCC or IDTA is needed while the adequacy decision is in force. For outbound UK-to-non-adequate-country transfers, the IDTA or the UK Addendum to the EU SCCs remains the standard mechanism. SCC fallback language in EU-UK data processing agreements should be retained as documentation against the Commission’s monitoring conditions, but is not the operative mechanism today.
What is the data protection test under DUAA 2025?
The data protection test is the new statutory label for what used to be called a transfer risk assessment. It applies to outbound UK transfers under Article 46 / Article 47A safeguards. The substantive question is whether the standard of protection in the destination country is not materially lower than in the UK after transfer. Inbound EU-to-UK transfers covered by the renewed adequacy decision are not subject to a data protection test on the EU exporter’s side.
Could the European Commission suspend the UK adequacy decision before 2031?
Yes. Article 45(5) of the EU GDPR empowers the Commission to repeal, amend or suspend an adequacy decision where the third country no longer ensures an adequate level of protection. The EDPB Opinion 26/2025 set out the monitoring conditions on which the Commission’s continued recognition rests. A material change in the UK regime, particularly on national security access or on the operation of the new automated decision-making framework, could engage the suspension power.
Do payments firms need additional transfer mechanisms under the PSRs 2017?
The PSRs 2017 do not impose a separate transfer mechanism for personal data. They impose contractual, operational and supervisory obligations on payment institutions and e-money issuers, including in relation to outsourcing and the protection of customer information. Adequacy resolves the UK GDPR transfer question for inbound EU-to-UK flows, but contractual data protection wording, FCA outsourcing expectations and operational resilience rules continue to apply alongside the UK GDPR.
For advice on inbound EU-to-UK transfer compliance, on the operational implications of the Commission’s monitoring conditions, or on the integration of the renewed UK adequacy decision into your data processing agreements and Article 30 records, contact Rob Bratby at Bratby Law. We also advise on data governance and AI-related advice for regulated businesses operating cross-border data flows.
