Lecture 10: Transfer of Personal Data

Question 1

Data transfers must be perceived as data processing, ensuring an adequate level of protection or safeguards. True or false?

Answer 1

True.

Question 2

When can a transfer of personal data take place?

Answer 2

Art. 44: any transfer may take place if the conditions in Chapter V are complied with by both the data controller and the data processor. Chapter V is about transfers of personal data to third countries and organization

Question 3

When personal data is transferred outside the European Economic Area, special safeguards are foreseen to ensure that the protection travels with the data. What are these safeguards? (5 points)

Answer 3

Transfers to third countries can be made upon

1. an adequacy decision
2. appropriate safeguards
3. binding corporate rules
4. derogations for specific situations
5. Consent

Question 4

What does Art.45 “Adequacy decision” when transferring to third countries refer to?

Answer 4

a transfer of personal data to a third country may take place if the EC has made a decision which finds that the third country ensures an adequate level of protection.

= which means that the third country has to have an adequate level of protection of fundamental rights and freedoms that is essentially equivalent to the guarantees ensured by law in the EU.

the EC publishes a list of these third countries. Art. 45 states that these transfers require no other authorization

Question 5

Who publishes the list of countries that you can send personal data to?

Answer 5

The European Comminsion

Question 6

What does the adoption of an adequacy decision involve?

Answer 6

• a proposal from the European Commission
• an opinion of the of the European Data Protection Board
• an approval from representatives of EU countries
• the adoption of the decision by the EuropeanCommissioners

Question 7

What does Art.46 “Appropriate safeguards” when transferring to third countries refer to?

Answer 7

Art. 46: in the absence of an adequacy decision, transfers to a third country can take place only if the data controller or data processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Question 8

What is the base of transfers when it comes to Binding Corporate rules? What should one do previous to relying on this Article?

Answer 8

Art. 47(1) binding corporate rules must be approved by the competent supervisory authority if they (a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings engaged in a joint economic activity, including their employees, (b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data, and (c) fulfil the requirements specified in Article 47(2).

Question 9

What does Article 46(3) say in regards to Contractual Clauses?

Answer 9

Art. 47(1) binding corporate rules must be approved by the competent supervisory authority if they (a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings engaged in a joint economic activity, including their employees, (b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data, and (c) fulfil the requirements specified in Article 47(2).

Question 10

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, transfers to a third country or organization may take place if … (6 possibilities). Name some

Answer 10

1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent

Question 11

Companies can now rely on Safe Harbor to transfer personal data to the US. True or False?

Answer 11

False

Question 12

Companies can now rely on the Privacy Shield to transfer personal data to the US. True or False?

Answer 12

False. Privacy Shield is no longer a valid US-EU transfer mechanism, instead US companies must rely on another derogation or condition laid out in Article 46.