United Kingdom
5.6. Disclosure, sharing and transfer of data 5.6.1. Data sharing requires a lawful basis, transparency to data subjects, minimisation, and security. Data controllers should document sharing arrangements and determine roles (joint controllers vs separate controllers). 5.6.2. Processor engagements between controllers and processors must be governed by UK GDPR ‑ compliant contracts with mandatory clauses covering subject matter, duration, nature and purpose of processing, confidentiality, security, sub ‑ processing approvals, assistance with rights and DPIAs, audits, and deletion/return at the end of services.
5.7. Cross-border transfer of data 5.7.1. Under Chapter V UK GDPR, transfers of personal data to third countries from the UK require either adequacy regulations (recognising jurisdictions that provide essentially equivalent protection to UK GDPR) or appropriate safeguards, typically the IDTA or the UK Addendum to EU SCCs, together with transfer risk assessments and supplementary measures where necessary. Organisations should assess the legal and practical risk environment in the destination country and document the assessment, implementing technical and organisational measures (such as robust encryption and access controls) where appropriate. Derogations are available only for specific circumstances (e.g., explicit consent after full disclosure of risks, necessary for contract performance, important public interest) but are not appropriate for routine transfers. 5.7.2. Transfers of personal data between the EEA and the UK are the subject of mutual adequacy decisions. The UK generally follows the EU’s adequacy decisions. 5.8. Grievance redressal 5.8.1. Controllers are required to maintain accessible internal mechanisms for complaints and rights handling.
https://www.fladgate.com/
Made with FlippingBook - PDF hosting