Module 7: International Data Transfers

Question 1

What is an adequacy decision?

Answer 1

An adequacy decision permits a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority (Article 45(1), GDPR).

Question 2

Who has the power to enforce an adequacy decision?

Answer 2

The European Commission has the power to determine whether a third country has an adequate level of data protection.

Question 3

What is the criteria for an adequacy decision?

Answer 3

respect of the rule of law
access to justice
international human rights standards, general and sectoral laws and case laws
effective and enforceable rights for individuals
data protection rules and professional rules
security measures and other international commitments or obligations

Question 4

Example of countries with adequacy decisions in place with the EU

Answer 4

New Zealand, Andorra, Canada, Japan

Question 5

What was the EU - US Privacy Shield (now invalidated)?

Answer 5

An invalidated adequacy decision.
Applied to organisations under FTC enforcement and acted as voluntary self certification programs, through commitment, publicity, public disclosure, implementation and renewal.

Question 6

What were the 7 principles of privacy shield?

Answer 6

The seven privacy shield principles included:
Notice
Choice
Accountability for onward transfer
Security
Data integrity and purpose limitation
Access
Recourse, enforcement and liability

Additional Privacy Shield provisions included an annual joint review and limited, proportionate surveillance.

Question 7

What are appropriate safeguards?

Answer 7

Standard data protection clauses and approved codes of conduct and certification mechanisms.
Includes ad hoc contractual clauses, and international agreements.

Question 8

What are codes of conduct and what do they do?

Answer 8

Codes of conduct are created or revised by regulators and associations and other bodies representing controllers or processors for GDPR application, helping controllers and processors to demonstrate compliance, creating marketing efficiencies and facilitating international data transfers.
They are binding and enforceable.

Question 9

What are certification mechanisms and what do they do?

Answer 9

Certification mechanisms may be issued by accredited certification bodies, competent supervisory authorities or the EDPB for assisting controllers and processors in same situations as through codes of conduct and by additionally demonstrating compliance with Article 25 (data protection by design and by default)
These are good for no more than 3 years, but may be renewed. There are consequences for non-compliance.

Question 10

What are binding corporate rules and what do they do?

Answer 10

Apply to companies engaged in joint economic activity, corporate groups and groups of enterprises, and controllers/processors
Are internal and legally binding rules that expressly confer enforceable rights of data subjects
Are actioned through standard applications, with approval by supervisory authorities and detailed conditions for transfers (outlined in Article 47)
Are used to give flexibility and due to low administrative burden post implementation

Question 11

What are the derogations relating to international data. transfers?

Answer 11

Derogations regarding international data transfers under Article 49 of the GDPR include:
Consent
Performance of contract
Public interest
Establishment, exercising or defense of legal claims
Vital interests
Transfer from register
Legitimate interests

Question 12

What are the restrictions of international data transfers?

Answer 12

Foreign law enforcement requests

Important reasons of public interest