Data Protection Act 2018

100

Transfer to recipient in third country

100. (1) Notwithstanding section 96(1)(b) and the provisions of any relevant international agreement, a controller may, in an individual case, transfer personal data directly to a recipient located in a third country who is not a controller or organisation referred to in section 96(1)(b) where the relevant provisions of this Part are complied with and each of the following conditions are fulfilled—

(a) the transfer is necessary for the performance of a function of the controller making the transfer under the law of the European Union or the law of the State for a purpose specified in section 70(1)(a);

(b) the transfer is in the public interest;

(c) the controller is satisfied that the fundamental rights and freedoms of the data subject do not override the public interest necessitating the transfer in the particular instance;

(d) the controller is satisfied that the transfer of the data to an authority in the third country that is competent for the purposes specified in section 70(1)(a) would be ineffective or inappropriate, having regard to the purpose for which the data are being transferred, in particular where the transfer could not be made to such an authority in time to achieve the purpose of the transfer.

(2) A controller, when transferring personal data to a recipient pursuant to subsection (1) shall—

(a) specify to the recipient the purpose for which the recipient may process the data, and

(b) inform the recipient that the data are to be processed by the recipient for the specified purpose only and then only to the extent that such processing is necessary for that purpose.

(3) Where a controller transfers personal data to a recipient pursuant to subsection (1), the controller shall—

(a) notify the relevant authority in the third country that is competent for the purpose for which the data are transferred of the transfer without undue delay, unless to do so would be ineffective or inappropriate, having regard to the purpose for which the data are being transferred,

(b) notify the Commission of the transfer, and

(c) create and maintain a record in writing of the transfer containing at least the following information:

(i) details of the personal data transferred;

(ii) the date and the time of the transfer;

(iii) the identity of the recipient;

(iv) the reason for which the data were transferred.

(4) A controller shall make available a record created and maintained pursuant to subsection (3)(c) to the Commission for inspection upon a request in that regard by the Commission.

(5) In this section—

“controller” means a controller that is a competent authority specified in paragraph (a) of the definition of “competent authority” in section 69;

“relevant international agreement” means an international agreement—

(a) to which the State and the third country in which the recipient is located are parties, and

(b) that relates to judicial cooperation in criminal matters or to police cooperation.