Mishcon de Reya page structure
Site header
Main menu
Main content section

UK GDPR

The UK General Data Protection Regulation

Art. 46 GDPR Transfers subject to appropriate safeguards

  1. In the absence of adequacy regulations under section 17A of the 2018 Act, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
  2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from the Commissioner, by:
    1. a legally binding and enforceable instrument between public authorities or bodies;
    2. binding corporate rules in accordance with Article 47;
    3. standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;
    4. standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
    5. an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
    6. an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
  3. With authorisation from the Commissioner, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
    1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
    2. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
  4. […]
  5. […]

Corresponding Recitals

In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

View Recital

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

View Recital