SCHEDULES

SCHEDULE 1U.K. The data protection principles

Modifications etc. (not altering text)

Part IIU.K. Interpretation of the principles in Part I

The eighth principleU.K.

13U.K.An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to—

(a)the nature of the personal data,

(b)the country or territory of origin of the information contained in the data,

(c)the country or territory of final destination of that information,

(d)the purposes for which and period during which the data are intended to be processed,

(e)the law in force in the country or territory in question,

(f)the international obligations of that country or territory,

(g)any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h)any security measures taken in respect of the data in that country or territory.

14U.K.The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the [F1 Secretary of State] may by order provide.

Textual Amendments

Commencement Information

I1Sch. 1 Pt. II para. 14 wholly in force at 1.3.2000; Sch. 1 Pt. II para. 14 in force for certain purposes at Royal Assent see s. 75(2)(i); Sch. 1 Pt. II para. 14 in force at 1.3.2000 insofar as not already in force by S.I. 2000/183, art. 2(1)

15(1)Where—U.K.

(a)in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

(b)a Community finding has been made in relation to transfers of the kind in question,

that question is to be determined in accordance with that finding.

(2)In sub-paragraph (1) “Community finding” means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.