International Data Transfer to Third Countries

The Data Protection Act 2018 lays down the rules for International data transfers to third countries in Chapter 5. International data transfers to third countries are prohibited unless one of these conditions is being met:

  • It is necessary for any of the law enforcement procedures.
  • The personal data was originally made available to the data controller/processor by another member State, which has authorised the transfer according to its national law; in that case the national authority that is responsible for authorisation of data transfers must be notified immediately.
  • The transfer is either based on:
  • an adequacy decision.
  • the presence of appropriate safeguards, or
  • special circumstances.
  • The intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7:

(i)the intended recipient is a person in a third country other than a relevant authority, and

(ii)the additional conditions in section 77 are met.

Authorisation is not required when the transfer is necessary for the prevention of an immediate and serious threat either to the public security or to the essential interests of a member State, and the authorisation cannot be obtained in good time.

Please visit: CHAPTER 5 Transfers of personal data to third countries etc http://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/5/enacted

If the country or territory has not been approved as adequate is still possible to send personal data to that country or territory, if the controller is satisfied in the particular circumstances there is an adequate level of protection, where:

  • The controller uses contracts. There are several types of contract that the controller can use to transfer personal data outside the EEA. The main types are:
  • contracts based on the standard contractual clauses approved by the European Commission (Model Contract Clauses); and
  • other contracts the controller draws up himself after a risk assessment to bring protection up to an adequate level.
  • The controller relies on the legal exceptions from the prohibition to transfer personal data to a third country that does not ensure an adequate level of protection. The exceptions are the following:
  • the data subject has consented to the transfer;
  • the transfer is necessary for the performance of, or for the taking of steps at the request of the data subject with a view to entering into, a contract between the data subject and the data controller;
  • the transfer is necessary for the performance of, or entering into, a contract between the data controller and a third party entering into the contract at the request, or in the interests, of the data subject;
  • the transfer is necessary for reasons of substantial public interest;
  • the transfer is necessary in connection with legal proceedings, advice or rights;
  • the transfer is necessary to protect the vital interests of the data subject;
  • the transfer is of part of the personal data on a public register.

Please visit: Guidance of the DPA on The eighth data protection principle and international data transfers (2010) https://ico.org.uk/media/for-organisations/documents/1566/international_transfers_legal_guidance.pdf

 

  • The controller gets the Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) approved by the Information Commissioner.

 

Adequate safeguards may be put in place using BCRs or other contractual arrangements.

BCRs are recognised in the United Kingdom. The DPA has also accepted the mutual recognition process.

The controller also may use internal codes of conduct, similar to BCR, to transfer information from the UK without an authorisation where:

  • he has conducted a risk assessment; and
  • he is satisfied that the codes provide the level of safeguards required by the law.

When the controller does not have an authorisation or his code of conduct or internal policies has not been through the BCR approval process, it will not be recognised as a BCR. Using an unauthorised code risks a future challenge to the adequacy of the level of protection it offers