Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

CHAPTER VU.K.Transfers of personal data to third countries or international organisations

Article 44U.K.General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

Article 45U.K.Transfers on the basis of an adequacy decision

1.A transfer of personal data to a third country or an international organisation may take place [F1where it is based on adequacy regulations (see section 17A of the 2018 Act)]. Such a transfer shall not require any specific authorisation.

2.When assessing the adequacy of the level of protection [F2for the purposes of sections 17A and 17B of the 2018 Act, the Secretary of State] shall, in particular, take account of the following elements:

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with [F3the Commissioner]; and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

F43.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F44.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F45.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F46.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.[F5The amendment or revocation of regulations under section 17A of the 2018 Act] is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

F68.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F69.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 46U.K.Transfers subject to appropriate safeguards

1.In the absence of [F7adequacy regulations under section 17A of the 2018 Act], a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from [F8the Commissioner], by:

(a)a legally binding and enforceable instrument between public authorities or bodies;

(b)binding corporate rules in accordance with Article 47;

[F9(c)standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;]

[F10(d)standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;]

(e)an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

(f)an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.[F11With authorisation from the Commissioner], the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a)contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b)provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

F124.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F125.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 47U.K.Binding corporate rules

1.[F13The Commissioner] shall approve binding corporate rules F14... , provided that they:

(a)are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c)fulfil the requirements laid down in paragraph 2.

2.The binding corporate rules referred to in paragraph 1 shall specify at least:

(a)the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)their legally binding nature, both internally and externally;

(d)the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

(e)the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with [F15the Commissioner and before a court in accordance with Article 79 (see section 180 of the 2018 Act], and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)the acceptance by the controller or processor [F16established in the United Kingdom] of liability for any breaches of the binding corporate rules by any member concerned [F17not established in the United Kingdom]; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g)how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

(h)the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

(i)the complaint procedures;

(j)the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to [F18the Commissioner];

(k)the mechanisms for reporting and recording changes to the rules and reporting those changes to [F19the Commissioner];

(l)the cooperation mechanism with [F20the Commissioner] to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to [F20the Commissioner] the results of verifications of the measures referred to in point (j);

(m)the mechanisms for reporting to [F21the Commissioner] any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(n)the appropriate data protection training to personnel having permanent or regular access to personal data.

F223.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F23Article 48U.K.Transfers or disclosures not authorised by Union law

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 49U.K.Derogations for specific situations

1.In the absence of [F24adequacy regulations under section 17A of the 2018 Act], or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a)the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b)the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c)the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d)the transfer is necessary for important reasons of public interest;

(e)the transfer is necessary for the establishment, exercise or defence of legal claims;

(f)the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g)the transfer is made from a register which according to [F25domestic law] is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by [F25domestic law] for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform [F26the Commissioner] of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

2.A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3.Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4.The public interest referred to in point (d) of the first subparagraph of paragraph 1 [F27must be public interest that is recognised in domestic law (whether in regulations under section 18(1) of the 2018 Act or otherwise)].

F285.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F295A.This Article and Article 46 are subject to restrictions in regulations under section 18(2) of the 2018 Act.]

6.The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

Article 50U.K.International cooperation for the protection of personal data

In relation to third countries and international organisations, [F30the Commissioner] shall take appropriate steps to: