A restricted transfer can be made one of three ways: 

1. An 'Adequacy Decision'

The Information Commissioner's Office (ICO) describes the 'adequacy decision' as: "…a finding by the Commission that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data". 

2. Appropriate Safeguards

If an adequacy decision is not possible, making the transfer subject to appropriate safeguards is an option. 

These safeguards include: 

• A legally binding and enforceable instrument between public authorities or bodies 
• Binding corporation rules
• Standard data protection clauses adopted by the Commission
• Standard data protection clauses adopted by a supervisory authority and approved by the Commission
• An approved code of conduct together with binding and enforceable commitments of the receiver outside the UK
• Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the UK
• Contractual clauses authorised by a supervisory authority
• Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred

3. An Exception

If a restricted transfer isn't covered by an adequacy decision or the appropriate safeguards, it can only be transferred if it is covered by exceptions outlined in Article 49 GDPR.