Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

CHAPTER VU.K.Transfers of personal data to third countries or international organisations

Article 44U.K.General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

Article 45U.K.Transfers on the basis of an adequacy decision

1.A transfer of personal data to a third country or an international organisation may take place [F1where it is based on adequacy regulations (see section 17A of the 2018 Act)]. Such a transfer shall not require any specific authorisation.

2.When assessing the adequacy of the level of protection [F2for the purposes of sections 17A and 17B of the 2018 Act, the Secretary of State] shall, in particular, take account of the following elements:

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with [F3the Commissioner]; and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

F43.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F44.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F45.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F46.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.[F5The amendment or revocation of regulations under section 17A of the 2018 Act] is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

F68.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F69.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F7Article 45AU.K.Transfers approved by regulations

1.For the purposes of Article 44A, the Secretary of State may by regulations approve transfers of personal data to—

(a)a third country, or

(b)an international organisation.

2.The Secretary of State may only make regulations under this Article approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B).

3.In making regulations under this Article, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.

4.Regulations under this Article may, among other things—

(a)make provision in relation to a third country or international organisation specified in the regulations or a description of country or organisation;

(b)approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;

(c)identify a transfer of personal data by any means, including by reference to—

(i)a sector or geographic area within a third country,

(ii)the controller or processor,

(iii)the recipient of the personal data,

(iv)the personal data transferred,

(v)the means by which the transfer is made, or

(vi)relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;

(d)confer a discretion on a person.

5.Regulations under this Article are subject to the negative resolution procedure.

Article 45BU.K.The data protection test

1.For the purposes of Article 45A, the data protection test is met in relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—

(a)this Regulation,

(b)Part 2 of the 2018 Act, and

(c)Parts 5 to 7 of that Act, so far as relevant to general processing.

2.In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—

(a)respect for the rule of law and for human rights in the country or by the organisation,

(b)the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,

(c)arrangements for judicial or non-judicial redress for data subjects in connection with such processing,

(d)rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,

(e)relevant international obligations of the country or organisation, and

(f)the constitution, traditions and culture of the country or organisation.

3.In paragraphs 1 and 2—

(a)the references to the protection provided for data subjects are to that protection taken as a whole,

(b)the references to general processing are to processing to which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and

(c)the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3.

4.When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))—

(a)the references in paragraphs 1 to 3 to personal data are to be read as references only to personal data likely to be the subject of such transfers, and

(b)the reference in paragraph 2(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.]

Article 46U.K.Transfers subject to appropriate safeguards

1.In the absence of [F8adequacy regulations under section 17A of the 2018 Act], a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from [F9the Commissioner], by:

(a)a legally binding and enforceable instrument between public authorities or bodies;

(b)binding corporate rules in accordance with Article 47;

[F10(c)standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;]

[F11(d)standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;]

(e)an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

(f)an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.[F12With authorisation from the Commissioner], the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a)contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b)provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

F134.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F135.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 47U.K.Binding corporate rules

1.[F14The Commissioner] shall approve binding corporate rules F15... , provided that they:

(a)are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c)fulfil the requirements laid down in paragraph 2.

2.The binding corporate rules referred to in paragraph 1 shall specify at least:

(a)the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)their legally binding nature, both internally and externally;

(d)the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

(e)the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with [F16the Commissioner and before a court in accordance with Article 79 (see section 180 of the 2018 Act], and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)the acceptance by the controller or processor [F17established in the United Kingdom] of liability for any breaches of the binding corporate rules by any member concerned [F18not established in the United Kingdom]; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g)how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

(h)the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

(i)the complaint procedures;

(j)the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to [F19the Commissioner];

(k)the mechanisms for reporting and recording changes to the rules and reporting those changes to [F20the Commissioner];

(l)the cooperation mechanism with [F21the Commissioner] to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to [F21the Commissioner] the results of verifications of the measures referred to in point (j);

(m)the mechanisms for reporting to [F22the Commissioner] any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(n)the appropriate data protection training to personnel having permanent or regular access to personal data.

F233.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F24Article 47AU.K.Transfers subject to appropriate safeguards: further provision

1.The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

2.The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force.

3.Regulations under paragraph 1 are subject to the negative resolution procedure.

4.The Secretary of State may by regulations make provision about further safeguards that may be relied on for the purposes of Article 46(1A)(a).

5.The Secretary of State may only make regulations under paragraph 4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.

6.Regulations under paragraph 4 may, among other things—

(a)make provision by adopting safeguards prepared or published by another person;

(b)make provision about ways of providing safeguards which require authorisation from the Commissioner.

7.Regulations under paragraph 4 which amend Article 46 may do so only in the following ways—

(a)by adding ways of providing safeguards, or

(b)by varying or omitting ways of providing safeguards which were added by regulations under this Article.

8.Regulations under paragraph 4 are subject to the affirmative resolution procedure.]

F25Article 48U.K.Transfers or disclosures not authorised by Union law

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Article 49U.K.Derogations for specific situations

1.In the absence of [F26adequacy regulations under section 17A of the 2018 Act], or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a)the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b)the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c)the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d)the transfer is necessary for important reasons of public interest;

(e)the transfer is necessary for the establishment, exercise or defence of legal claims;

(f)the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g)the transfer is made from a register which according to [F27domestic law] is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by [F27domestic law] for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform [F28the Commissioner] of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

2.A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3.Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4.The public interest referred to in point (d) of the first subparagraph of paragraph 1 [F29must be public interest that is recognised in domestic law (whether in regulations under section 18(1) of the 2018 Act or otherwise)].

[F304A.The Secretary of State may by regulations specify for the purposes of point (d) of paragraph 1—

(a)circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and

(b)circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.]

F315.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F325A.This Article and Article 46 are subject to restrictions in regulations under section 18(2) of the 2018 Act.]

6.The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

[F337.Regulations under this Article—

(a)are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)otherwise, are subject to the affirmative resolution procedure.

8.For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.]

[F34Article 49AU.K.Restriction in the public interest

1.The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where—

(a)the transfer is not approved by regulations under Article 45A for the time being in force, and

(b)the Secretary of State considers the restriction to be necessary for important reasons of public interest.

2.Regulations under this Article—

(a)are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;

(b)otherwise, are subject to the affirmative resolution procedure.

3.For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.]

Article 50U.K.International cooperation for the protection of personal data

In relation to third countries and international organisations, [F35the Commissioner] shall take appropriate steps to: