Search Legislation

Data Protection Act 2018

 Help about what version

What Version

 Help about advanced features

Advanced Features

Changes over time for: CHAPTER 5

 Help about opening options

Changes to legislation:

Data Protection Act 2018, CHAPTER 5 is up to date with all changes known to be in force on or before 08 August 2022. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

View outstanding changes

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

CHAPTER 5U.K.Transfers of personal data to third countries etc

Overview and interpretationU.K.

72Overview and interpretationU.K.

(1)This Chapter deals with the transfer of personal data to third countries or international organisations, as follows—

(a)sections 73 to 76 set out the general conditions that apply;

(b)section 77 sets out the special conditions that apply where the intended recipient of personal data is not a relevant authority in a third country or an international organisation;

(c)section 78 makes special provision about subsequent transfers of personal data.

(2)In this Chapter, “relevant authority”, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority.

General principles for transfersU.K.

73General principles for transfers of personal dataU.K.

(1)A controller may not transfer personal data to a third country or to an international organisation unless—

(a)the three conditions set out in subsections (2) to (4) are met, and

(b)in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F1..., that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.

(2)Condition 1 is that the transfer is necessary for any of the law enforcement purposes.

(3)Condition 2 is that the transfer—

(a)is based on [F2adequacy regulations (see section 74A)],

(b)if not based on [F3adequacy regulations], is based on there being appropriate safeguards (see section 75), or

(c)if not based on [F4adequacy regulations] or on there being appropriate safeguards, is based on special circumstances (see section 76).

(4)Condition 3 is that—

(a)the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or

(b)in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—

(i)the intended recipient is a person in a third country other than a relevant authority, and

(ii)the additional conditions in section 77 are met.

(5)Authorisation is not required as mentioned in subsection (1)(b) if—

(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of F5... a third country or to the essential interests of a member State, and

(b)the authorisation cannot be obtained in good time.

(6)Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.

(7)In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.

F674Transfers on the basis of an adequacy decisionU.K.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F774ATransfers based on adequacy regulationsU.K.

(1)The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2)For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, and

(b)in the case of an international organisation, the organisation,

and such a transfer does not require specific authorisation.

(3)Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4)When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

(5)Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).

(6)Regulations under this section may, among other things—

(a)provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7)Regulations under this section are subject to the negative resolution procedure.]

[F774BTransfers based on adequacy regulations: review etcU.K.

(1)For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2)Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3)The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.

(4)Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5)Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6)The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7)In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers.]

75Transfers on the basis of appropriate safeguardsU.K.

(1)A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—

(a)a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or

(b)the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.

(2)The controller must inform the Commissioner about the categories of data transfers that take place in reliance on subsection (1)(b).

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

76Transfers on the basis of special circumstancesU.K.

(1)A transfer of personal data to a third country or international organisation is based on special circumstances where the transfer is necessary—

(a)to protect the vital interests of the data subject or another person,

(b)to safeguard the legitimate interests of the data subject,

(c)for the prevention of an immediate and serious threat to the public security of F8... a third country,

(d)in individual cases for any of the law enforcement purposes, or

(e)in individual cases for a legal purpose.

(2)But subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

(4)For the purposes of this section, a transfer is necessary for a legal purpose if—

(a)it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,

(b)it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or

(c)it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.

Transfers to particular recipientsU.K.

77Transfers of personal data to persons other than relevant authoritiesU.K.

(1)The additional conditions referred to in section 73(4)(b)(ii) are the following four conditions.

(2)Condition 1 is that the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law for any of the law enforcement purposes.

(3)Condition 2 is that the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer.

(4)Condition 3 is that the transferring controller considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled).

(5)Condition 4 is that the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed.

(6)Where personal data is transferred to a person in a third country other than a relevant authority, the transferring controller must inform a relevant authority in that third country without undue delay of the transfer, unless this would be ineffective or inappropriate.

(7)The transferring controller must—

(a)document any transfer to a recipient in a third country other than a relevant authority, and

(b)inform the Commissioner about the transfer.

(8)This section does not affect the operation of any international agreement in force between [F9the United Kingdom] and third countries in the field of judicial co-operation in criminal matters and police co-operation.

Subsequent transfersU.K.

78Subsequent transfersU.K.

(1)Where personal data is transferred in accordance with section 73, the transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority.

(2)A competent authority may give an authorisation under subsection (1) only where the further transfer is necessary for a law enforcement purpose.

(3)In deciding whether to give the authorisation, the competent authority must take into account (among any other relevant factors)—

(a)the seriousness of the circumstances leading to the request for authorisation,

(b)the purpose for which the personal data was originally transferred, and

(c)the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.

(4)In a case where the personal data was originally transmitted or otherwise made available to the transferring controller or another competent authority by a member State F10..., an authorisation may not be given under subsection (1) unless that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.

(5)Authorisation is not required as mentioned in subsection (4) if—

(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of F11... a third country or to the essential interests of a member State, and

(b)the authorisation cannot be obtained in good time.

(6)Where a transfer is made without the authorisation mentioned in subsection (4), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources