- Y Diweddaraf sydd Ar Gael (Diwygiedig)
- Gwreiddiol (Fel y'i Deddfwyd)
Data Protection Act 2018, CHAPTER 5 is up to date with all changes known to be in force on or before 14 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
(1)This Chapter deals with the transfer of personal data to third countries or international organisations, as follows—
(a)sections 73 to 76 set out the general conditions that apply;
(b)section 77 sets out the special conditions that apply where the intended recipient of personal data is not a relevant authority in a third country or an international organisation;
(c)section 78 makes special provision about subsequent transfers of personal data.
(2)In this Chapter, “relevant authority”, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority.
(1)A controller may not transfer personal data to a third country or to an international organisation unless—
(a)the three conditions set out in subsections (2) to (4) are met, and
(b)in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F1..., that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.
(2)Condition 1 is that the transfer is necessary for any of the law enforcement purposes.
(3)Condition 2 is that the transfer—
(a)is based on [F2adequacy regulations (see section 74A)],
(b)if not based on [F3adequacy regulations], is based on there being appropriate safeguards (see section 75), or
(c)if not based on [F4adequacy regulations] or on there being appropriate safeguards, is based on special circumstances (see section 76).
(4)Condition 3 is that—
(a)the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or
(b)in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—
(i)the intended recipient is a person in a third country other than a relevant authority, and
(ii)the additional conditions in section 77 are met.
(5)Authorisation is not required as mentioned in subsection (1)(b) if—
(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of F5... a third country or to the essential interests of a member State, and
(b)the authorisation cannot be obtained in good time.
(6)Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.
(7)In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.
Textual Amendments
F1Words in s. 73(1)(b) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F2Words in s. 73(3)(a) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in s. 73(3)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F4Words in s. 73(3)(c) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F5Words in s. 73(5)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 40(4) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F6S. 74 omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 41 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—
(a)a third country,
(b)a territory or one or more sectors within a third country,
(c)an international organisation, or
(d)a description of such a country, territory, sector or organisation.
(2)For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, and
(b)in the case of an international organisation, the organisation,
and such a transfer does not require specific authorisation.
(3)Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).
(4)When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—
(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,
(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and
(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
(5)Regulations under this section—
(a)where they relate to a third country, must specify their territorial and sectoral application;
(b)where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).
(6)Regulations under this section may, among other things—
(a)provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;
(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(c)confer a discretion on a person.
(7)Regulations under this section are subject to the negative resolution procedure.]
Textual Amendments
F7Ss. 74A, 74B inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 42 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.
(2)Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.
(3)The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.
(4)Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
(5)Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.
(6)The Secretary of State must publish—
(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and
(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.
(7)In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—
(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and
(b)the lists published under subsection (6) must specify or describe the relevant transfers.]
Textual Amendments
F7Ss. 74A, 74B inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 42 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—
(a)a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or
(b)the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.
(2)The controller must inform the Commissioner about the categories of data transfers that take place in reliance on subsection (1)(b).
(3)Where a transfer of data takes place in reliance on subsection (1)—
(a)the transfer must be documented,
(b)the documentation must be provided to the Commissioner on request, and
(c)the documentation must include, in particular—
(i)the date and time of the transfer,
(ii)the name of and any other pertinent information about the recipient,
(iii)the justification for the transfer, and
(iv)a description of the personal data transferred.
(1)A transfer of personal data to a third country or international organisation is based on special circumstances where the transfer is necessary—
(a)to protect the vital interests of the data subject or another person,
(b)to safeguard the legitimate interests of the data subject,
(c)for the prevention of an immediate and serious threat to the public security of F8... a third country,
(d)in individual cases for any of the law enforcement purposes, or
(e)in individual cases for a legal purpose.
(2)But subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.
(3)Where a transfer of data takes place in reliance on subsection (1)—
(a)the transfer must be documented,
(b)the documentation must be provided to the Commissioner on request, and
(c)the documentation must include, in particular—
(i)the date and time of the transfer,
(ii)the name of and any other pertinent information about the recipient,
(iii)the justification for the transfer, and
(iv)a description of the personal data transferred.
(4)For the purposes of this section, a transfer is necessary for a legal purpose if—
(a)it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,
(b)it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or
(c)it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.
Textual Amendments
F8Words in s. 76(1)(c) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 43 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)The additional conditions referred to in section 73(4)(b)(ii) are the following four conditions.
(2)Condition 1 is that the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law for any of the law enforcement purposes.
(3)Condition 2 is that the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer.
(4)Condition 3 is that the transferring controller considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled).
(5)Condition 4 is that the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed.
(6)Where personal data is transferred to a person in a third country other than a relevant authority, the transferring controller must inform a relevant authority in that third country without undue delay of the transfer, unless this would be ineffective or inappropriate.
(7)The transferring controller must—
(a)document any transfer to a recipient in a third country other than a relevant authority, and
(b)inform the Commissioner about the transfer.
(8)This section does not affect the operation of any international agreement in force between [F9the United Kingdom] and third countries in the field of judicial co-operation in criminal matters and police co-operation.
Textual Amendments
F9Words in s. 77(8) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 44 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
(1)Where personal data is transferred in accordance with section 73, the transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority.
(2)A competent authority may give an authorisation under subsection (1) only where the further transfer is necessary for a law enforcement purpose.
(3)In deciding whether to give the authorisation, the competent authority must take into account (among any other relevant factors)—
(a)the seriousness of the circumstances leading to the request for authorisation,
(b)the purpose for which the personal data was originally transferred, and
(c)the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.
(4)In a case where the personal data was originally transmitted or otherwise made available to the transferring controller or another competent authority by a member State F10..., an authorisation may not be given under subsection (1) unless that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.
(5)Authorisation is not required as mentioned in subsection (4) if—
(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of F11... a third country or to the essential interests of a member State, and
(b)the authorisation cannot be obtained in good time.
(6)Where a transfer is made without the authorisation mentioned in subsection (4), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.
Textual Amendments
F10Words in s. 78(4) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 45(2) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F11Words in s. 78(5)(a) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 45(3) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
Y Ddeddf Gyfan you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Ddeddf Gyfan heb Atodlenni you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Rhestrau you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.
Gwreiddiol (Fel y’i Deddfwyd neu y’i Gwnaed): Mae'r wreiddiol fersiwn y ddeddfwriaeth fel ag yr oedd pan gafodd ei deddfu neu eu gwneud. Ni wnaed unrhyw newidiadau i’r testun.
Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Testun a grëwyd gan yr adran o’r llywodraeth oedd yn gyfrifol am destun y Ddeddf i esbonio beth mae’r Ddeddf yn ceisio ei wneud ac i wneud y Ddeddf yn hygyrch i ddarllenwyr nad oes ganddynt gymhwyster cyfreithiol. Cyflwynwyd Nodiadau Esboniadol ym 1999 ac maent yn cyd-fynd â phob Deddf Gyhoeddus ac eithrio Deddfau Adfeddiannu, Cronfa Gyfunol, Cyllid a Chyfnerthiad.
Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:
liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys