International Data Transfers Flashcards
What is the scope of transfer?
The fact that a personal data may be routed through a third country on the way from my EEA country does not bring such transfer within the scope of the restrictions under the GDPR unless some substantive processing operation is conducted on the personal data in the the third country. .
If the original transfer did not qualify as processing of personal data, would the subsequent international exchange be regarded as the transfer for the purposes of the regulation?
Yes. An example of this would be where information is provided by someone in the EU over the telephone to someone in a third country who then enters the information on the computer.
Which companies can join the privacy shield?
US businesses subject to the jurisdiction of the FTC or Department of Transportation.
This covers most US for-profit businesses but excludes a number of banks, financial services companies, telecoms and other businesses that are not subject to the jurisdiction of those regulatory agencies.
What are the seven principles which Privacy Shield companies must comply?
- Notice
- Choice
- Accountability for onward transfer
- Security
- Data integrity and purpose Limitation
- Access
- Recourse, enforcement and liability
NCASDAR
Nine cats ate some dragons and rats
The privacy shield requires companies that self certify compliance with the privacy shield principles to take comply which include:
(1) conduct internal compliance assessment to determine the company’s ability to comply
(2) Register with a third party arbitration provided to handle any complaints
(3) adopt a privacy shield notice that contains 13 specified details about the company’s privacy practices, and publish the notice online.
What are the three sets of standard contractual clauses now in place
- 2001 controller to controller clauses
- 2004 alternative controller to controller clauses
- 2010 controller to processor clauses
What are the derogations for transfers of personal data?
- Consent
- Contract performance
- Substantial public interest
- Legal claims
- Vital interests
- Public registers
- Not repetitive transfers
CCSLVPN
Cute cats steal Lanon ‘s VPN
What are the transfer rules regarding public registers?
Exports of personal data can be made from information available on a public register provided that the person to whom the information is transferred complies with any restrictions on access to or use of the information in the register.
This allows transfers of extracts from public register of directors. However this does not allow transfers of the complete register. In addition, if the conditions of use imposed by the body responsible for compiling the register, they must be honoured by the importer and any further recipients.
What are the requirements on not repetitive transfers?
A transfer may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interest pursued by the controller which are not overridden by the interest or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
In these situations, the controller must inform the supervisory authority and the data subject of the transfer. The individual must also be informed of the compelling legitimate interests pursued by the controller.
Order of preference for GDPR- compliant personal data transfers
Art 45- adequacy decision Art 46- appropriate safeguards Art 47- binding corporate rules Art 48- Where a foreign tribunal or admin body has ordered transfer not otherwise permitted Art 49- conditions for derogations
