International Data Transfers Flashcards
On what legal basis Can you transfer data to a third country?
GDPR art. 45(1): if the Commission has decided that the third country ensures an adequate level of protection.
GDPR art. 46(1 & 2): if the controller or processor has provided appropriate safeguards, i.e. a legally binding and enforceable instrument between public authorities or standard clauses adopted by the Commission
GDPR art. 47(1): The competent supervisory authority shall approve binding corporate rules
GDPR art. 49(1): If one of the listed conditions are applicable (i.e. consent or vital interests)
What did the court rule in Schrems I?
The CJEU found that the Safe Harbour decision does not contain sufficient findings explaining how the US ensures an adequate level of protection, since US authorities were able to access data in ways that did not meet EU legal standards in areas such as purpose limitation, necessity, and proportionality.
What did the court rule in Schrems II?
The court ruled that the privacy shield did not grant data subjects actionable rights before the courts against the U.S. authorities. As a consequence the Court declared the Privacy Shield adequacy Decision invalid.
+ The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs.
What does the Lindqvist case in particular demonstrate?
That uploading personal information to a homemade website is not purely private and cannot constitute an international data transfer
