Data Protection Act 2018

CHAPTER 5Transfers of personal data to third countries etc

Overview and interpretation

72Overview and interpretation

(1)This Chapter deals with the transfer of personal data to third countries or international organisations, as follows—

(a)sections 73 to 76 set out the general conditions that apply;

(b)section 77 sets out the special conditions that apply where the intended recipient of personal data is not a relevant authority in a third country or an international organisation;

(c)section 78 makes special provision about subsequent transfers of personal data.

(2)In this Chapter, “relevant authority”, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority.

General principles for transfers

73General principles for transfers of personal data

(1)A controller may not transfer personal data to a third country or to an international organisation unless—

(a)the three conditions set out in subsections (2) to (4) are met, and

(b)in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State other than the United Kingdom, that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.

(2)Condition 1 is that the transfer is necessary for any of the law enforcement purposes.

(3)Condition 2 is that the transfer—

(a)is based on an adequacy decision (see section 74),

(b)if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or

(c)if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76).

(4)Condition 3 is that—

(a)the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or

(b)in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—

(i)the intended recipient is a person in a third country other than a relevant authority, and

(ii)the additional conditions in section 77 are met.

(5)Authorisation is not required as mentioned in subsection (1)(b) if—

(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of a member State or a third country or to the essential interests of a member State, and

(b)the authorisation cannot be obtained in good time.

(6)Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.

(7)In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.

74Transfers on the basis of an adequacy decision

A transfer of personal data to a third country or an international organisation is based on an adequacy decision where—

(a)the European Commission has decided, in accordance with Article 36 of the Law Enforcement Directive, that—

(i)the third country or a territory or one or more specified sectors within that third country, or

(ii)(as the case may be) the international organisation,

ensures an adequate level of protection of personal data, and

(b)that decision has not been repealed or suspended, or amended in a way that demonstrates that the Commission no longer considers there to be an adequate level of protection of personal data.

75Transfers on the basis of appropriate safeguards

(1)A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—

(a)a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or

(b)the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.

(2)The controller must inform the Commissioner about the categories of data transfers that take place in reliance on subsection (1)(b).

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

76Transfers on the basis of special circumstances

(1)A transfer of personal data to a third country or international organisation is based on special circumstances where the transfer is necessary—

(a)to protect the vital interests of the data subject or another person,

(b)to safeguard the legitimate interests of the data subject,

(c)for the prevention of an immediate and serious threat to the public security of a member State or a third country,

(d)in individual cases for any of the law enforcement purposes, or

(e)in individual cases for a legal purpose.

(2)But subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.

(3)Where a transfer of data takes place in reliance on subsection (1)—

(a)the transfer must be documented,

(b)the documentation must be provided to the Commissioner on request, and

(c)the documentation must include, in particular—

(i)the date and time of the transfer,

(ii)the name of and any other pertinent information about the recipient,

(iii)the justification for the transfer, and

(iv)a description of the personal data transferred.

(4)For the purposes of this section, a transfer is necessary for a legal purpose if—

(a)it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,

(b)it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or

(c)it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.

Transfers to particular recipients

77Transfers of personal data to persons other than relevant authorities

(1)The additional conditions referred to in section 73(4)(b)(ii) are the following four conditions.

(2)Condition 1 is that the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law for any of the law enforcement purposes.

(3)Condition 2 is that the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer.

(4)Condition 3 is that the transferring controller considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled).

(5)Condition 4 is that the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed.

(6)Where personal data is transferred to a person in a third country other than a relevant authority, the transferring controller must inform a relevant authority in that third country without undue delay of the transfer, unless this would be ineffective or inappropriate.

(7)The transferring controller must—

(a)document any transfer to a recipient in a third country other than a relevant authority, and

(b)inform the Commissioner about the transfer.

(8)This section does not affect the operation of any international agreement in force between member States and third countries in the field of judicial co-operation in criminal matters and police co-operation.

Subsequent transfers

78Subsequent transfers

(1)Where personal data is transferred in accordance with section 73, the transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority.

(2)A competent authority may give an authorisation under subsection (1) only where the further transfer is necessary for a law enforcement purpose.

(3)In deciding whether to give the authorisation, the competent authority must take into account (among any other relevant factors)—

(a)the seriousness of the circumstances leading to the request for authorisation,

(b)the purpose for which the personal data was originally transferred, and

(c)the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.

(4)In a case where the personal data was originally transmitted or otherwise made available to the transferring controller or another competent authority by a member State other than the United Kingdom, an authorisation may not be given under subsection (1) unless that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.

(5)Authorisation is not required as mentioned in subsection (4) if—

(a)the transfer is necessary for the prevention of an immediate and serious threat either to the public security of a member State or a third country or to the essential interests of a member State, and

(b)the authorisation cannot be obtained in good time.

(6)Where a transfer is made without the authorisation mentioned in subsection (4), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.