Transfer of personal data to third countries or international organisations
What changes for the transfer of personal data to third countries or international organisations with the GDPR
The rules in force before the GDPR for a lawful transfer of personal data to third countries or international organisations outside the European Union and the European Economic Area («EEA») are confirmed, apart from some peculiarities.
The GDPR introduces the codes of conduct and the certification mechanism as an appropriate safeguard to transfer personal data to third countries (which can be produced also to demonstrate that data processing is compliant with other GDPR obligations). Besides, no authorisation by the supervisory authority is required. This means that the transfer to an adequate third country based on a Commission decision or on the basis of the standard contractual clauses adopted or of the BCRs may take place without the supervisory authority’s prior authorisation. The supervisory authority’s prior authorisation shall be necessary if the controller intends to use specific contractual clauses (which means that they are not those recognised as appropriate by the European Commission’s decisions) or for administrative arrangements between public authorities.
Requirements for the transfer of personal data to third countries or international organisations
The GDPR provides for specific requirements for the transfer of personal data outside the European Union and the European Economic Area. The provisions aim to ensure that the level of protection of natural persons is not negatively affected even when data are transferred for their processing to third countries which may not ensure an adequate level of protection like the European one.
The requirements for the transfer of data to third countries or international organisations are:
a. transfers on the basis of an adequacy decision adopted by the European Commission
b. transfers subject to appropriate safeguards
c. binding corporate rules («BCRs»)
d. derogations for specific situations.
In the following, a description of the first two requirements. The binding corporate rules («BCRs») and the derogations for specific situations are dealt with separately.
Transfers on the basis of an adequacy decision
A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation ensures an adequate level of protection. Under this condition, no specific authorisation is required.
When assessing the adequacy of the level of protection, the Commission takes into account a set of elements: the element which stands out is the existence of one or more supervisory authorities, with responsibility for ensuring and enforcing compliance with provisions governing data protection. The supervisory authorities shall have appropriate enforcing powers, so as to assist and provide information to data subjects and to cooperate with the supervisory authorities of the Member States.
After carrying out the assessment, the Commission may decide, by issuing an implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection. The implementing act shall contain its territorial and sectoral application and identify the competent supervisory authorities. The mentioned implementing act shall be reviewed at least every 4 years, considering the development of the third country or the international organisation. If the review ascertains that there is no longer an adequate level of protection, the Commission amends, repeals or suspends the adequacy decision. This decision has not retro-active effect.
On an ongoing basis, the Commission shall monitor the adequacy of the level of protection.
The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
All the adequacy decisions adopted before the GDPR are still valid: therefore, until not amended, repealed or substituted, the adequacy decisions already adopted shall remain in force.
As a consequence, the adequacy decisions for the transfer of personal data still in force concern the following third countries: Andorra, Argentina, Australia – PNR, Canada, Faer Oer, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, Japan. As for the EEA, the decisions concern Norway, Liechtenstein, Island.
Transfers subject to appropriate safeguards
If the Commission has not adopted an adequacy decision, a transfer of data to a third country or international organisation may take place if the controller or the processor has provided appropriate safeguards and if data subjects may exercise their rights and effective legal remedies for data subjects are available. Without requiring an authorisation from a supervisory authority, the appropriate safeguards applicable are:
a. a legally binding and enforceable instrument between public authorities or bodies
b. binding corporate rules («BCRs»)
c. standard data protection clauses adopted by the Commission
d. standard data protection clauses adopted by a supervisory authority and approved by the Commission
e. adherence to an approved code of conduct
f. adherence to an approved certification mechanism.
Let’s focus on the standard data protection clauses, codes of conduct and certification.
Standard data protection clauses
There are two kinds of standard contractual clauses: standard data protection clauses which can be used for the transfer of data from a controller to a controller, on the basis of the decisions of the Commission of the 15th June 2001 and of the 27th December 2014, and the standard data protection clauses of the 5th February 2010 for the transfer from a controller to a processor. They are binding clauses between the parties and aim to provide adequate safeguards for data protection required by the GDPR also where data processing is carried out, after the transfer, in third countries or international organisations, so as to ensure that the rights and the fundamental freedoms of data subjects are protected. Substantially, the clauses shall guarantee the same level of protection of data processed within the European Union where data protection legislation is appropriate. It is important to note that the clauses may not be modified and must be signed by the parties as provided. However, they may be included in a wider contract and additional clauses might be added provided that they do not contradict, directly or indirectly, the standard data protection clauses adopted by the European Commission.
Any further modification to the clauses will imply that these clauses will be considered as special contractual clauses. This also can provide appropriate safeguards but, before any transfer, these customised contractual clauses must be authorised by the competent national supervisory authority, following an opinion of the European Data Protection Board.
The authorisations issued by a Member State or a supervisory authority remain valid until amended, replaced or repealed, if necessary, by the same supervisory authority. The decisions adopted by the Commission remain valid until amended, replaced or repealed, if necessary, by a Commission’s decision.
Adherence to a code of conduct or to a certification mechanism
These are innovative legal instruments introduced by the GDPR. The GDPR encourages to draw up codes of conduct intended to contribute to the application of the GDPR, taking account of the specific needs of micro, small and medium-seized enterprises. The GDPR specifies which elements shall be included in the codes of conduct and, as far as it is relevant for the subject discussed, highlights the need of determining the conditions that the adherents shall respect in order to transfer personal data to third countries or international organisations.
Therefore, in the absence of other requirements for the transfer, the adherence to a code of conduct which determines the organisational and security measures appropriate to respect the principles of the GDPR, including the rights of data subjects involved in the transfer, may be produced as a suitable condition for the transfer of data to third countries or international organisations.
Similarly, the GDPR recognises that approved certification mechanisms, seals, marks may be produced in order to demonstrate the provision of appropriate safeguards from controllers and processors not subject to the GDPR, in the framework of personal data transfers to third countries or international organisations. Such controllers and processors shall make binding and enforceable commitments, through contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
Binding Corporate Rules («BCRs»)
There is a specific article of the GDPR governing the binding corporate rules that even though already mentioned as an instrument for the transfers subject to appropriate safeguards.
The BCRs describe the data protection policies adhered to by group of undertakings (e.g.: multinationals) in order to provide appropriate safeguards for transfers of personal data within the group, including outside of the EEA.
Since it is an instrument for the transfer already in force before the GDPR, it is possible that the controller has already adhered to the BCRs or cooperates with processors which make use of the BCRs for processors. It is possible to continue to use them, authorised under the former Directive 95/46/EC, because they remain valid under the GDPR. However, these BCRs shall be updated to be fully compliant with the GDPR provisions. If the BCRs are not yet in place, they shall be approved by the competent national supervisory authority, following an opinion of the European Data Protection Board («EDPB»). The GDPR sets out the requirements for the approval of the BCRs and the compulsory elements which they shall contain. The list is not exhaustive, so, the national supervisory authorities shall decide further requirements, where appropriate.
The supervisory authority’s approval depends on the requirements of the BCRs which shall:
a. be legally binding and applied by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees
b. expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
c. fulfil, at least, the requirements set out in the GDPR.
The BCRs shall at least specify:
a. the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members
b. the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries
c. their legally binding nature, both internally and externally
d. the application of the general data protection principles and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules
e. the rights of data subjects with regard to processing and the means to exercise those rights, including the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States, and to obtain compensation for a breach of the binding corporate rules
f. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage
g. how the information on the binding corporate rules is provided to data subjects
h. the tasks of any Data Protection Officer or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling
i. the complaint procedures
j. the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules
k. the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular for reporting and recording changes to the rules and reporting those changes to the supervisory authority
l. mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
m. the appropriate data protection training to personnel having permanent or regular access to personal data.
The BCRs are certainly a useful instrument to govern the data flow to third countries within a group of undertakings, but the process needs time because the rules shall be the outcome of the procedures shared by all members involved.
Derogations for specific situations
In the absence of the previously mentioned requirements, the transfer of personal data to third countries or international organisations may take place if:
a. the data subject has explicitly consented to the transfer: this consent shall be expressed separately from other consents which may have been requested
b. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request: it is a requirement of lawfulness of processing equivalent to that required when processing is carried out within the European territory and there is a need to fulfil an obligation in the interest of the person
c. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person: this is grounded on the same reason of what has been said in the previous point
d. the transfer is necessary for important reasons of public interest: the interests of the community override the right of confidentiality of the single person and the safeguards connected
e. the transfer is necessary for the establishment, exercise or defence of legal claims: it is a measure similar to that of the legitimate interest which may be the legal basis for processing carried out within the European territory
f. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent: of course, physical and psychical health overrides any privacy safeguard, wherever data are processed
g. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled: it may be the case of sectoral directories or professional rolls which, as a matter of fact, may be consulted by anyone. It should be noted that, in such a case, the transfer shall not involve the entirety of the register.
Where the transfer cannot be based on adequacy decisions or adequate safeguards or on the binding corporate rules and the derogations for specific situations are not applicable, the transfer to a third country or an international organisation may take place, only if:
a. it is not repetitive
b. it concerns a limited number of data subjects
c. it is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights or freedoms of the data subject, and
d. the controller has assessed all the circumstances as regards the transfer and, on the basis of such assessment, has provided suitable safeguards with respect to the protection of personal data. The controller shall inform the supervisory authority and data subjects on the compelling legitimate interests pursued.
This residual condition recalls the accountability principle which requires to demonstrate the adequacy of the decisions taken in compliance with the GDPR: the decision to resort to the transfer, anyway, in the absence of any other requirement of the GDPR shall be clearly justified and documented. The assessment and the suitable safeguards implemented shall be recorded in the Records of processing activities.
What happens in the event of «no-deal Brexit»
In the absence of an agreement between the countries of the European Economic Area («EEA») and the UK («no-deal Brexit»), the UK will become a third country. Therefore, the transfer of personal data to the UK has to be based on one of the following conditions:
a. standard contractual clauses adopted by the Commission or ad-hoc contractual clauses adopted by the national supervisory authorities
b. binding corporate rules
c. codes of conduct and certification mechanisms
d. derogations for specific situations.
According to UK Government, the current practice, which permits personal data to flow freely from the UK to the European Economic Area («EEA»), will continue in the event of a «no-deal Brexit».
To learn more, read FAQs or contact me.
Leave a Reply