Data Protection Act 2018
Transfer subject to appropriate safeguards | ||
98. (1) Personal data may be transferred in accordance with section 96 (1) to a third country, a territory or sector thereof, or an international organisation, in respect of which a decision has not been taken by the European Commission under Article 36 of the Directive that the third country, territory or sector thereof, or the international organisation, as the case may be, ensures an adequate level of protection of personal data, where— | ||
(a) there is a legally binding instrument that applies to the transfer and that ensures appropriate safeguards with regard to the processing of personal data, or | ||
(b) the controller transferring the personal data, or on whose behalf the personal data are being transferred, has— | ||
(i) assessed all the circumstances relating to the transfer, and | ||
(ii) is satisfied that appropriate safeguards exist with regard to the protection of the personal data. | ||
(2) Where personal data are transferred to a third country, a territory or sector thereof, or an international organisation pursuant to subsection (1)(b), the controller transferring the personal data, or on whose behalf the personal data are being transferred, shall— | ||
(a) inform the Commission about each category of such transfers, and | ||
(b) create and maintain a record in writing of each such transfer containing at least the following: | ||
(i) details of the personal data transferred; | ||
(ii) the date and time of the transfer; | ||
(iii) information about the controller in the third country or the international organisation to which the data were transferred; | ||
(iv) the reasons for the transfer. | ||
(3) A controller shall make available a record created and maintained pursuant to subsection (2)(b) to the Commission for inspection upon a request in that regard by the Commission. |