Cross-border Data Transfers Flashcards Preview

CIPP/E > Cross-border Data Transfers > Flashcards

Flashcards in Cross-border Data Transfers Deck (13):

What are the options for internationally transferring personal data?

-adequacy decision - finding by the commission that certain countries, or sectors within a country, adequately protect EU data by law, obviating any need for additional safeguards
- appropriate safeguards - binding corporate rules (BCRs), standard contract clauses, codes of conduct or certification mechanisms, ad hock contractual clauses authorized by SA
- derogations - last resort only under specific conditions


What countries have adequacy sections?

Isle of Man
Canada (international agreement)
Faeroe Islands
New Zealand
Switzerland (international agreement)
USA (Privacy Shield)


What is the criteria for adequacy?

- respect of the rule of law
- access to justice
- international human rights standards
- general and sectoral laws
- effective and enforceable rights of individuals
- data protection rules, professional rules


When and why was Safe Harbour invalidated?

October 2015 - Schrems V DPA Ireland (Facebook Ireland European subsidiary of Facebook). Safe Harbour did not prevent US government access to data


When was Safe Harbor found to be adequate by European Commission?

July 2000


When was the EU-US Privacy Shield formally approved?

July 2016


Who can qualify for using the EU-US Privacy Shield?

An Organisation that falls under the US Federal Trade Commission (not financial institutions)


What are the requirements of the EU-US Privacy Shield self certification programme?

-publicly disclose their privacy policy
- renew certification annually
- publicly commit to the Principles
- implement the Principles


What are the seven principles of EU-US Privacy Shield?

- notice
- choice (data subject rights)
- Accountability for onward transfer
- security
- data integrity and purpose limitation
- access
- recourse, enforcement and liability


Who approves BCRs?

The supervisory authorities must sign off on the rules through the consistency mechanism.
The rules are for handling personal data that are binding on the company.


Who can use BCRs?

- Companies engaged in joint economic activity
- Corporate groups and groups of enterprises
- Controllers and processors


What are the options for providing appropriate safeguards for cross-border data transfers?

- binding corporate rules (BCRs)
- standard contract clauses
- codes of conduct or certification mechanisms
- ad hoc contractual clauses


Who is entitled to self-certify to the Privacy Shield?

A US based company that must be subject to powers of the Federal Trade Commission or of the Department of Transport