F1SCHEDULE 21Further transitional provision etc
Part 3Transfers to third countries and international organisations
UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules
9
(1)
The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after IP completion day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).
(2)
The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.
(3)
The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—
(a)
all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and
(b)
none of the changes alters the effect of the rules.
(4)
The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—
(a)
changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;
(b)
changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.
(5)
Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after IP completion day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).
(5A)
For the purposes of sub-paragraph (2), binding corporate rules which, immediately before IP completion day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR but which were authorised other than by the Commissioner are to be treated as authorised by the Commissioner where—
(a)
a valid notification of the rules has been made to the Commissioner,
(b)
the Commissioner has approved them, and
(c)
that approval has not been withdrawn.
(5B)
A notification is valid if it—
(a)
is made by a controller or processor established in the United Kingdom,
(b)
is made to the Commissioner before the end of the period of 6 months beginning with IP completion day, and
(c)
includes—
(i)
the name and contact details of the data protection officer or other contact point for the controller or processor, and
(ii)
such other information as the Commissioner may reasonably require.
(5C)
Where a valid notification is made the Commissioner must, without undue delay—
(a)
decide whether or not to approve the rules, and
(b)
notify the controller or processor of that decision.
(6)
The Commissioner must keep the operation of this paragraph under review.
(7)
In this paragraph—
“adequacy decision” means a decision made on the basis of—
(a)
Article 45(3) of the EU GDPR, or
(b)
Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
“binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.
(8)
This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.