Data Protection Act 2018

[F1Part 3U.K.Transfers to third countries and international organisations

UK GDPR: adequacy decisions and adequacy regulationsU.K.

4(1)On and after IP completion day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2)Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).

(3)The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 5;

(b)amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).

(4)Regulations under this paragraph may, among other things——

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5)Regulations under this paragraph are subject to the negative resolution procedure.

(6)Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).

5(1)The following are specified for the purposes of paragraph 4(1)—U.K.

(a)an EEA state;

(b)Gibraltar;

(c)a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;

(d)an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;

(e)a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before IP completion day, had been repealed or was suspended;

(f)a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before IP completion day, had been repealed or was suspended.

(2)The decisions mentioned in sub-paragraph (1)(e) are the following—

(a)Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;

(b)Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;

(c)Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;

(d)Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;

(e)Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;

(f)Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;

(g)Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;

(h)Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;

(i)Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;

(j)Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;

(k)Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;

(m)Commission Implementing Decision (EU) 2019/419 of 23rd January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information.

(3)Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).

(4)The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (5) and (6).

(5)For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(6)For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the EU GDPR applies,

it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).

6(1)In the provisions listed in sub-paragraph (2)—U.K.

(a)references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 5.

(2)Those provisions are—

(a)Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;

(b)sections 17B(1), (3), (6) and (7) and 18(2) of this Act.

UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clausesU.K.

7(1)Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described in this paragraph.

(2)The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before IP completion day, would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(3)The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the clauses.

(4)The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5)In the case of a transfer of personal data made under arrangements entered into before IP completion day, the safeguards may be provided for on and after IP completion day by standard data protection clauses not falling within sub-paragraph (2) which—

(a)formed part of the arrangements immediately before IP completion day, and

(b)at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(6)The Secretary of State and the Commissioner must keep the operation of this paragraph under review.

(7)In this paragraph, “adequacy decision” means a decision made on the basis of—

(a)Article 45(3) of the EU GDPR, or

(b)Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

(8)This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

8(1)Paragraph 7 does not apply to the extent that it has been disapplied by—U.K.

(a)regulations made by the Secretary of State, or

(b)a document issued by the Commissioner.

(2)Regulations under this paragraph are subject to the negative resolution procedure.

(3)Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).

UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rulesU.K.

9(1)The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).

(2)The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.

(3)The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the rules.

(4)The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5)Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).

(5A)For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—

(a)a valid notification of the rules has been made to the Commissioner,

(b)the Commissioner has approved them, and

(c)that approval has not been withdrawn.

(5B)A notification is valid if it—

(a)is made by a controller or processor established in the United Kingdom,

(b)is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and

(c)includes—

(i)the name and contact details of the data protection officer or other contact point for the controller or processor, and

(ii)such other information as the Commissioner may reasonably require.

(5C)Where a valid notification is made the Commissioner must, without undue delay—

(a)decide whether or not to approve the rules, and

(b)notify the controller or processor of that decision.

(6)The Commissioner must keep the operation of this paragraph under review.

(7)In this paragraph—

• “adequacy decision” means a decision made on the basis of—

  (a)

  Article 45(3) of the EU GDPR, or

  (b)

  Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

• “binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.

(8)This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

Part 3 (law enforcement processing): adequacy decisions and adequacy regulationsU.K.

10(1)On and after IP completion day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2)Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).

(3)The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 11;

(b)amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).

(4)Regulations under this paragraph may, among other things—

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5)Regulations under this paragraph are subject to the negative resolution procedure.

(6)Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).

11(1)The following are specified for the purposes of paragraph 10(1)—U.K.

(a) an EEA state;

(aa)Switzerland;

(b)Gibraltar;

(c)a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before IP completion day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before IP completion day, had been repealed or was suspended.

(2)Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).

(3)The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before IP completion day, subject to sub-paragraphs (4) and (5).

(4)For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(5)For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the Law Enforcement Directive applies,

it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).

12U.K.In section 74B(1), (3), (6) and (7)—

(a)references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 11.]