Datafication 7 Transfers Flashcards

1
Q

Transfer tools Art. 44

A

toolkit of mechanisms to transfer pd to 3rd country which are or intend processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

third country

A

outside EU & Iceland, Lichtenstein Norway etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

e.g. CJEU case: is posting of pd on website = transfer to 3rd country as it makes data accessible to people in 3rd country?

A
  • No, not intended to cover that by legislature
  • then every posting on website = transfer to all 3rd countries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Transfer tools Chapter 5 Art. 45 - 50

A
  1. Adequacy decisions Art. 45
  2. Appropriate safeguards Art. 46
  3. Derogations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Adequacy decisions Art. 45

A
  • EU Commission recognized countries to provide adequate protection
  • essentially equivalent guarantees as in EU ensured by law for fundamental rights & freedoms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Adequacy decisions Art. 45 - requirement for transfering

A

Transfers without any specific authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Adequacy decisions Art. 45 - adoption of adequacy decision involves

A
  • Proposal from European Commission
  • Opinion of European Data Protection Board
  • Approval from representatives of EU countries
  • Adoption of decision by European Commission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Adequacy decisions Art. 45 - powers to withdraw etc.

A

At any time: European Parliament & Council can request maintain, amend, or withdraw if country exceed powers provided in regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Adequacy decisions Art. 45 - countries

A

Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, Uruguay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Appropriate safeguards Art. 46

A
  • data controller or processor provided one:
  • Standard contractual clauses (SCC)
  • Binding corporate rules art. 47
  • Approved codes of conduct & certification mechanisms
  • Ad hoc contractual clauses (must have Supervisory Authority authorization)
  • Reliance on international agreement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Standard contractual clauses (SCC) = Model Clauses

A
  • EU Commission decides that SCCs = sufficient safeguards for international data transfer
  • 2 SCCs sets to transfer data from dc in EU to dc outside EU / EEA
  • 1 CC set to transfer data from dc in EU to dp outside EU / EEA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Binding corporate rules art. 47

A
  • internal rules for transfers
  • within a group of undertakings engaged in joint economic activity (multinational companies and governed by code of conduct)
  • to countries that do not provide adequate level of protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Binding corporate rules art. 47 - requirement

A
  • shall be approved by SA if corporate rules …
    a) are legally binding & apply to all members of group
    b) include enforceable rights on ds with regard to processing of their pd
    c) and fulfill requirements in Art. 47(2) - list of content
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Binding corporate rules art. 47 - content (must include)

A
  • Privacy principles (e.g. transparency, data quality, security)
  • Tools of effectiveness (e.g. audits, trainings)
  • Element providing that rules are binding
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Binding corporate rules art. 47 - con

A

main company is liable for what other parties do, very expensive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Ad hoc contractual clauses

A

must have SA authorization

17
Q

e.g. Schrems case

A
  • “Safe Harbour Privacy principles” (= scheme for transfer of pd btw EU & US)
  • invalid (Snowden reference): US not ensure adequate protection of pd against surveillance activities by US public authorities
  • replacement by “EU-US Privacy Shield” including:
  • Data protection obligations on companies receiving pd from EU
  • mechanism independent from US intelligence service & deals with complaints of individuals
  • Annual joint review to monitor
18
Q

Schrems 2 case: new principles same flaws

A
  • CJEU declared shield invalid
  • but validity of SCC Decision while stricter requirements for SCC & BCR based transfers
  • US not essentially equivalent levels of protection required by EU: not sufficiently limit powers of US authorities & lack actionable rights for EU subjects against US authorities
19
Q

Derogations

A
  • no other tool -> 1 condition must fulfilled:
    1) Explicit consent from ds to transfer or necessary for…
    2) protect vital interest of ds or other person (ds incapable of consent)
    3) legal claims
    4) contract btw ds & dc or pre-contractual measures taken at ds request
    5) performance for contract in interest of ds btw dc & other person
    6) important reasons of public interest
20
Q

Risk assessment of transfers to 3rd countries (EDPB 01/2020)

A

1) Know transfer: map weather it is adequate, relevant & limited to what is necessary for purpose
2) Verify transfer tool
3) Asses 3rd country law / practice: anything reducing effectiveness of tools safeguards?
4) Identify & adopt supplementary measures required by 3 (ensure level of protection same as in EU)
5) Implement 4
6) Re-evaluate & monitor

21
Q

Risk assessment of transfers to 3rd countries (EDPB 01/2020) - step 4 potential supplementary measures

A
  • Pseudonymization
  • No sensitive pd
  • Shorter deletion deadlines
  • Restricted access to retransmission
  • Data-minimization
  • Encryption
  • Extended notification