Seminar 18+19 - International data transfers Flashcards
Relevant provisions?
● GDPR Chapter V ● GDPR Art. 44 ● GDPR Art. 45 ● GDPR Art. 46 ● GDPR Art. 49 ● GDPR Art. 50
Is there a definition of int. data transfers in GDPR?
No.
Name examples of Int. data transfers?
Computer brought to third country w. personal data, transfers via international company’s intranet, uploading on a cloud-solution, employee searching on data base from third country, data made public on non-EU webpage.
Name examples of non-Int. data transfers?
Transmission through third countries (passing through e-mail), if controller is established in another MS and data is processed in DK. Publication of information on webpages if EU-server.
Why do we need rules for international data transfers?
Purpose is to ensure that the data subjects rights are safeguarded when data are transferred outside the EU
Name the 3 different ways there are to transfer data to third countries?
- On the basis of an adequacy decision (art. 45),
- by ensuring appropriate safeguards (art. 46) hereunder binding corporate rules (art. 47) or
- with one of the derogations listed in art. 49.
What is an Adequacy decision?
A transfer to a third country or international organization may take place, where the Commission has decided that the third country ensures an adequate level of protection.
What is Appropriate safeguards?
In the absence of an adequate decision, transfers can be allowed if the controller or processor provides appropriate safeguards and enforceable rights, and if effective legal remedies are available to data subjects.
For example: contractual clauses or binding corporate rules.
What is Derogations for specific situations?
Personal data transfers to a third country may be justified, even in the absence of an adequate decision or safeguards, in one of the listed circumstances in art. 49(1)(a)-(f), e.g. explicit consent, necessary for performance contract or public interest
What if a transfer cannot be based on a provision in art. 45, art. 46 (incl. art. 47) or art. 49(1)(a)-(g)?
The transfer may then only take place only if:
■ the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and has suitable safeguards
■ The controller shall inform the SA of the transfer
Name a relevant case with regards to definition of Int. data transfer?
The Lindqvist case suggests that data transfer should be an active act, which involves sending data, and not just making it passively accessible, however, this does not mean that granting access may not also constitute a transfer (judgement is based on specific factors, as the website was not intended to be read outside Sweden).
What does the Schrems case illustrate?
Illustrates how data protection rights under EU law can apply to data processing in third countries.
Why do we have derogations from restrictions on international data transfers?
Derogations are meant to cover situations in which there is no adequate protection in the country to which the data are to be transferred, but ‘the risks to the data subject are relatively small’ or ‘other interests override the data subject’s right to privacy’
Give an example of a derogation?
o Example:
Transfer reasons of health data abroad for treatment – as that would trumpf the the persons health.
Name an example of adequate safeguards?
Contractual clauses or corporate rules.
