Transfer to third countries and international organisations

Question 1

When is transfers to third countries allowed?

Answer 1

On the basis of an adequacy decision (Article 45)

When subject to appropriate safeguards (Article 46)

• Legally binding and enforceable instrument between public authorities or bodies
• Binding corporate rules
• Standard data protection clauses adopted by Commission or supervisory authority
• Codes of conduct
• Certification mechanisms
• Customised contractual clause between controller/processor and recipient - need authorisation by competent DPA

Question 2

What is an adequacy decision?

Answer 2

A decision by the Commission stating that the third country or international organisation ensures an adequate level (essentially equivalent) of data protection, thus legitimising the transfer.

Can be challenged by a supervisory authority.

Subject to monitoring on an ongoing basis.

Privacy Shield

• Data protection obligations on companies receiving data
• Ombudsperson mechanism - independent, deals with complaints from individuals
• Annual joint review to monitor the framework’s implementation

Question 3

What are standard contractual clauses?

Answer 3

Most important feature:
○ Third-party beneficiary clause - data subject can exercise contractual rights even when not being a party to the contrach
○ Data recipient agreeing to be subject to the SA of the transfering party

There exists 2 controller-to-controller sets and 1 controller-to-processor set

Question 4

What are binding corporate rules?

Answer 4

Transfers taking place within a group of enterprises or undertakings part of a joint economic activity

Must be authorised by DPA (by consistency mechanism)

Requirements:
○ Legally binding
○ Cover all essential data protection principles
○ Apply to every member of the group
○ Give enforceable rights to subjects
○ Describe structure of undertaking, the transfer and how principles will be applied

Question 5

What derogations exists?

Answer 5

Derogations for specific situations - transfers can happen anyway

- Explicit consent from data subject
- Contractual relationship requiring transfer
- Interest of the data subject
- Important reasons of public interest
- Regarding to legal claims
- Protect vital interests
- Transfer of data from public registers 

In exceptional cases, transfers can be made even outside of these requirements, if the transfer is not repetitive, concerns a limited number of subjects and is necessary for the purposes of the data controller’s compelling legitimate interests, insofar as data subject’s rights do not override these.

Question 6

What are examples of international agreements between EU and third countries?

Answer 6

Passenger Name Records
○ Data collected during flight reservation
○ Agreement with Australia, Canada, US
○ Transfer of data to fight crime (terrorism etc.)

SWIFT
- Agreement to provide for legal basis for disclosing data mainly about EU citizens to the US.

Question 7

What are the four European Guarantees?

Answer 7

Guarantee # 1: Processing should be based on clear, precise and accessible rules

Guarantee # 2: Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated

Guarantee # 3: An independent oversight mechanism should exist

Guarantee # 4: Effective remedies need to be available to the individual