Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

CHAPTER VU.K.Transfers of personal data to third countries or international organisations

F1Article 44U.K.General principle for transfers

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F2Article 44AU.K.General principles for transfers

1.A controller or processor may transfer personal data to a third country or an international organisation only if—

(a)the condition in paragraph 2 is met, and

(b)the transfer is carried out in compliance with the other provisions of this Regulation.

2.The condition is met if the transfer—

(a)is approved by regulations under Article 45A that are in force at the time of the transfer,

(b)is made subject to appropriate safeguards (see Article 46), or

(c)is made in reliance on a derogation for specific situations (see Article 49).

3.A transfer may not be made in reliance on paragraph 2(b) or (c) if, or to the extent that, it would breach a restriction in regulations under Article 49A.]

F3Article 45U.K.Transfers on the basis of an adequacy decision

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F4Article 45AU.K.Transfers approved by regulations

1.For the purposes of Article 44A, the Secretary of State may by regulations approve transfers of personal data to—

(a)a third country, or

(b)an international organisation.

2.The Secretary of State may only make regulations under this Article approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B).

3.In making regulations under this Article, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

4.Regulations under this Article may, among other things—

(a)make provision in relation to a third country or international organisation specified in the regulations or a description of country or organisation;

(b)approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;

(c)identify a transfer of personal data by any means, including by reference to—

(i)a sector or geographic area within a third country,

(ii)the controller or processor,

(iii)the recipient of the personal data,

(iv)the personal data transferred,

(v)the means by which the transfer is made, or

(vi)relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;

(d)confer a discretion on a person.

5.Regulations under this Article are subject to the negative resolution procedure.

Article 45BU.K.The data protection test

1.For the purposes of Article 45A, the data protection test is met in relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)this Regulation,

(b)Part 2 of the 2018 Act, and

(c)Parts 5 to 7 of that Act, so far as relevant to general processing.

2.In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)respect for the rule of law and for human rights in the country or by the organisation,

(b)the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)arrangements for judicial or non-judicial redress for data subjects in connection with such processing,

(d)rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,

(e)relevant international obligations of the country or organisation, and

(f)the constitution, traditions and culture of the country or organisation.

3.In paragraphs 1 and 2—

(a)the references to the protection provided for data subjects are to that protection taken as a whole,

(b)the references to general processing are to processing to which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3.

4.When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))—

(a)the references in paragraphs 1 to 3 to personal data are to be read as references only to personal data likely to be the subject of such transfers, and

(b)the reference in paragraph 2(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.]

[F5Article 45CU.K.Transfers approved by regulations: monitoring

1.The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations.

2.Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

3.Where regulations under Article 45A are amended or revoked in accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.

4.The Secretary of State must publish—

(a)a list of the third countries and international organisations, and the descriptions of such countries and organisations, which are for the time being approved by regulations under Article 45A as places or persons to which personal data may be transferred, and

(b)a list of the third countries and international organisations, and the descriptions of such countries and organisations, which have been but are no longer approved by such regulations.

5.In the case of regulations under Article 45A which approve only certain transfers to a third country or international organisation specified or described in the regulations (in accordance with Article 45A(4)(b)), the lists published under paragraph 4 must specify or describe the relevant transfers.]

Article 46U.K.Transfers subject to appropriate safeguards

F61.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F71A.A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only—

(a)in a case in which—

(i)safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and

(ii)the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or

(b)in a case in which—

(i)safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and

(ii)each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).]

2.The F8... safeguards referred to in [F9paragraph 1A(a)] may be provided for, without requiring any specific authorisation from [F10the Commissioner], by:

(a)a legally binding and enforceable instrument between [F11a public body and another relevant person or persons];

(b)binding corporate rules [F12approved] in accordance with Article 47;

[F13(c)standard data protection clauses specified in regulations made by the Secretary of State under [F14Article 47A(1)] and for the time being in force;]

[F15(d)standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner [F16for the purposes of this Article] under section 119A of the 2018 Act and for the time being in force;]

(e)an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the [F17safeguards provided by the code], including as regards data subjects' rights; or

(f)an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the [F18safeguards provided by the mechanism], including as regards data subjects' rights.

3.[F19With authorisation from the Commissioner], the F20... safeguards referred to in [F21paragraph 1A(a)] may also be provided for F22... by:

(a)contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b)provisions to be inserted into administrative arrangements between [F23a public body and another relevant person or persons] which include enforceable and effective data subject rights.

F244.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F245.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F256.For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—

(a)this Regulation,

(b)Part 2 of the 2018 Act, and

(c)Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies.

7.For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.

8.In this Article—

(a)references to the protection provided for the data subject are to that protection taken as a whole;

(b)“relevant person” means a public body or another person exercising functions of a public nature.]

Article 47U.K. [F26Transfers subject to appropriate safeguards:] Binding corporate rules

1.[F27The Commissioner] shall approve binding corporate rules F28... , provided that they:

(a)are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c)fulfil the requirements laid down in paragraph 2.

2.The binding corporate rules referred to in paragraph 1 shall specify at least:

(a)the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)their legally binding nature, both internally and externally;

(d)the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

(e)the rights of data subjects in regard to processing and the means to exercise those rights, including [F29the right to protection in accordance with, and with regulations made under, Articles 22A to 22D in connection with decisions based solely on automated processing (including decisions reached by means of profiling)], the right to lodge a complaint with [F30the Commissioner and before a court in accordance with Article 79 (see section 180 of the 2018 Act], and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)the acceptance by the controller or processor [F31established in the United Kingdom] of liability for any breaches of the binding corporate rules by any member concerned [F32not established in the United Kingdom]; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g)how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

(h)the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

(i)the complaint procedures;

(j)the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to [F33the Commissioner];

(k)the mechanisms for reporting and recording changes to the rules and reporting those changes to [F34the Commissioner];

(l)the cooperation mechanism with [F35the Commissioner] to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to [F35the Commissioner] the results of verifications of the measures referred to in point (j);

(m)the mechanisms for reporting to [F36the Commissioner] any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(n)the appropriate data protection training to personnel having permanent or regular access to personal data.

F373.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F38Article 47AU.K.Transfers subject to appropriate safeguards: further provision

1.The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

2.The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force.

3.Regulations under paragraph 1 are subject to the negative resolution procedure.

4.The Secretary of State may by regulations make provision about further safeguards that may be relied on for the purposes of Article 46(1A)(a).

5.The Secretary of State may only make regulations under paragraph 4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

6.Regulations under paragraph 4 may, among other things—

(a)make provision by adopting safeguards prepared or published by another person;

(b)make provision about ways of providing safeguards which require authorisation from the Commissioner.

7.Regulations under paragraph 4 which amend Article 46 may do so only in the following ways—

(a)by adding ways of providing safeguards, or

(b)by varying or omitting ways of providing safeguards which were added by regulations under this Article.

8.Regulations under paragraph 4 are subject to the affirmative resolution procedure.]

F39Article 48U.K.Transfers or disclosures not authorised by Union law

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 49U.K.Derogations for specific situations

1.In the absence of [F40approval by regulations under Article 45A and of compliance with Article 46 (appropriate safeguards)], a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a)the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of [F41approval by regulations under Article 45A] and appropriate safeguards;

(b)the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c)the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d)the transfer is necessary for important reasons of public interest;

(e)the transfer is necessary for the establishment, exercise or defence of legal claims;

(f)the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g)the transfer is made from a register which according to [F42domestic law] is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by [F42domestic law] for consultation are fulfilled in the particular case.

Where a transfer could not be based on [F43Article 45A] or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform [F44the Commissioner] of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

2.A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3.Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4.The public interest referred to in point (d) of the first subparagraph of paragraph 1 [F45must be public interest that is recognised in domestic law (whether in regulations under [F46paragraph 4A] or otherwise)].

[F474A.The Secretary of State may by regulations specify for the purposes of point (d) of paragraph 1—

(a)circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and

(b)circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.]

F485.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F495A.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

[F507.Regulations under this Article—

(a)are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)otherwise, are subject to the affirmative resolution procedure.

8.For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.]

[F51Article 49AU.K.Restriction in the public interest

1.The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where—

(a)the transfer is not approved by regulations under Article 45A for the time being in force, and

(b)the Secretary of State considers the restriction to be necessary for important reasons of public interest.

2.Regulations under this Article—

(a)are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)otherwise, are subject to the affirmative resolution procedure.

3.For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.]

Article 50U.K.International cooperation for the protection of personal data

In relation to third countries and international organisations, [F52the Commissioner] shall take appropriate steps to: