The GDPR and its effect on organisations outside the EEA Flashcards
This Deck can give you insight in whether the GDPR applies to you when you are not (or think you are not) directly located in the EEA
When is e.g. an Australian organisation in the scope of the GDPR?
The GDPR applies not only in the territory of the EEA (EU + three non EU states), but to processing in the context of activity in the EEA.
Entities outside the EEA are affected by the GDPR, when they process personal data;
- and offer goods or services, irrespective of whether a payment is required, to data subjects in the EEA, or;
- when monitoring of the behaviour of data subjects takes place in de EEA.
Related:
Articles 2, 3
Recitals 23, 24
When is data allowed to be transferred outside the EEA?
A transfer to a third country or an international organisation may take place where the European Commission (EC) has decided that this country or organisation can provide an adequate level of data protection. This is called an “Adequacy Decision”.
Where an adequacy decision has not been granted, a transfer may take place when other appropriate safeguards have been provided, or when derogations to transfers apply.
Related:
Articles 44 - 49
Recitals 101 - 116
Why would it be functional for a country to get an Adequacy Decision, and how can a country get an Adequacy Decision?
An Adequacy Decision is granted by the European Commission to countries, territory, or International organisations, which means that this particular entity that has been granted an Adequacy Decision can be approached as if it is part of the EEA.
The EC takes account of the following elements*:
a. The rule of law, respect for human rights and fundamental freedoms, relevant legislation, and effective and enforceable rights of data subjects.
b. The existence and effective functioning of independent supervisory authorities;
c. International commitments the third country or the international organisation has itself committed to.
*see article 45(2)a for the full list.
Related:
Article 45
Recitals 101 - 116
If there is no Adequacy Decision granted by the European Commission (EC), other appropriate safeguards have to be provided to make international transfers of personal data outside the EEA possible.
What are these safeguards?
Appropriate safeguards are considered to be:
a. A legally binding and enforceable instrument between public authorities and bodies;
b. Binding Corporate Rules (BCRs);
c. Standard Data Protection clauses adopted by the EC;
d. Standard Data Protection clauses adopted by a supervisory authority and approved by the EC;
e. An approved Code of Conduct together with binding and enforceable commitments of the controller and the processor in the third country;
f. An approved certification mechanism together with binding and enforceable commitments of the controller and the processor in the third country.
Related:
Article 46
Recitals 101 - 116
Which are the countries currently in possession of an Adequacy Decision?
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay are countries which have been granted an adequacy decision. The U.S. has an Adequacy Decision limited to the companies under the Privacy Shield. However, this is very much contested at the moment (March, 2018).
Related:
Article 45
Recitals 101 - 116
Source:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
What are Binding Corporate Rules (BCRs)?
BCRs are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. All departments within a BCR, can be treated as if they were in the EEA.
Binding corporate rules ensure that all data transfers within a corporate group are safe. They must contain
- privacy principles, such as transparency, data quality, security;
- tools of effectiveness (such as audit, training, or complaint handling systems);
- an element proving that the rules are binding.
Related:
Article 46 - 47
Recitals 101 - 116
Source:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en
For an average organisation, what are the 2 means to transfer personal data in the absence of an adequacy decision or other appropriate safeguards?
Article 49 describes 2 likely methods for transferring personal data to third countries
1(a). The data subject has explicitly consented* to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of appropriate safeguards;
1(b). The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
*see article 7 of the GDPR for rules with regards to a valid consent.
Related:
Article 49
Recitals 101 - 116