xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"

PART 3 U.K.Law enforcement processing

CHAPTER 5U.K.Transfers of personal data to third countries etc

General principles for transfersU.K.

73General principles for transfers of personal dataU.K.

(1)A controller may not transfer personal data to a third country or to an international organisation unless—

(a)the three conditions set out in subsections (2) to (4) are met, and

(b)in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F1..., that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.

(2)Condition 1 is that the transfer is necessary for any of the law enforcement purposes.

(3)Condition 2 is that the transfer—

(a)is based on [F2adequacy regulations (see section 74A)],

(b)if not based on [F3adequacy regulations], is based on there being appropriate safeguards (see section 75), or

(c)if not based on [F4adequacy regulations] or on there being appropriate safeguards, is based on special circumstances (see section 76).

(4)Condition 3 is that—

(a)the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or

(b)in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—

(i)the intended recipient is a person in a third country other than a relevant authority, and

(ii)the additional conditions in section 77 are met.

(5)Authorisation is not required as mentioned in subsection (1)(b) if—

(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of F5... a third country or to the essential interests of a member State, and

(b)the authorisation cannot be obtained in good time.

(6)Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.

(7)In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.

F674Transfers on the basis of an adequacy decisionU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F774ATransfers based on adequacy regulationsU.K.

(1)The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2)For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, and

(b)in the case of an international organisation, the organisation,

and such a transfer does not require specific authorisation.

(3)Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4)When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

(5)Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).

(6)Regulations under this section may, among other things—

(a)provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7)Regulations under this section are subject to the negative resolution procedure.]

[F774BTransfers based on adequacy regulations: review etcU.K.

(1)For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2)Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3)The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.

(4)Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5)Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6)The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7)In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers.]

75Transfers on the basis of appropriate safeguardsU.K.

(1)A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—

(a)a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or

(b)the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.

(2)The controller must inform the Commissioner about the categories of data transfers that take place in reliance on subsection (1)(b).

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

76Transfers on the basis of special circumstancesU.K.

(1)A transfer of personal data to a third country or international organisation is based on special circumstances where the transfer is necessary—

(a)to protect the vital interests of the data subject or another person,

(b)to safeguard the legitimate interests of the data subject,

(c)for the prevention of an immediate and serious threat to the public security of F8... a third country,

(d)in individual cases for any of the law enforcement purposes, or

(e)in individual cases for a legal purpose.

(2)But subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

(4)For the purposes of this section, a transfer is necessary for a legal purpose if—

(a)it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,

(b)it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or

(c)it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.