Datafication 7 Transfers

Question 1

Transfer tools Art. 44

Answer 1

toolkit of mechanisms to transfer pd to 3rd country which are or intend processing

Question 2

third country

Answer 2

outside EU & Iceland, Lichtenstein Norway etc.

Question 3

e.g. CJEU case: is posting of pd on website = transfer to 3rd country as it makes data accessible to people in 3rd country?

Answer 3

• No, not intended to cover that by legislature
• then every posting on website = transfer to all 3rd countries

Question 4

Transfer tools Chapter 5 Art. 45 - 50

Answer 4

1. Adequacy decisions Art. 45
2. Appropriate safeguards Art. 46
3. Derogations

Question 5

Adequacy decisions Art. 45

Answer 5

• EU Commission recognized countries to provide adequate protection
• essentially equivalent guarantees as in EU ensured by law for fundamental rights & freedoms

Question 6

Adequacy decisions Art. 45 - requirement for transfering

Answer 6

Transfers without any specific authorization

Question 7

Adequacy decisions Art. 45 - adoption of adequacy decision involves

Answer 7

• Proposal from European Commission
• Opinion of European Data Protection Board
• Approval from representatives of EU countries
• Adoption of decision by European Commission

Question 8

Adequacy decisions Art. 45 - powers to withdraw etc.

Answer 8

At any time: European Parliament & Council can request maintain, amend, or withdraw if country exceed powers provided in regulation

Question 9

Adequacy decisions Art. 45 - countries

Answer 9

Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, Uruguay

Question 10

Appropriate safeguards Art. 46

Answer 10

• data controller or processor provided one:
• Standard contractual clauses (SCC)
• Binding corporate rules art. 47
• Approved codes of conduct & certification mechanisms
• Ad hoc contractual clauses (must have Supervisory Authority authorization)
• Reliance on international agreement

Question 11

Standard contractual clauses (SCC) = Model Clauses

Answer 11

• EU Commission decides that SCCs = sufficient safeguards for international data transfer
• 2 SCCs sets to transfer data from dc in EU to dc outside EU / EEA
• 1 CC set to transfer data from dc in EU to dp outside EU / EEA

Question 12

Binding corporate rules art. 47

Answer 12

• internal rules for transfers
• within a group of undertakings engaged in joint economic activity (multinational companies and governed by code of conduct)
• to countries that do not provide adequate level of protection

Question 13

Binding corporate rules art. 47 - requirement

Answer 13

• shall be approved by SA if corporate rules …
  a) are legally binding & apply to all members of group
  b) include enforceable rights on ds with regard to processing of their pd
  c) and fulfill requirements in Art. 47(2) - list of content

Question 14

Binding corporate rules art. 47 - content (must include)

Answer 14

• Privacy principles (e.g. transparency, data quality, security)
• Tools of effectiveness (e.g. audits, trainings)
• Element providing that rules are binding

Question 15

Binding corporate rules art. 47 - con

Answer 15

main company is liable for what other parties do, very expensive

Question 16

Ad hoc contractual clauses

Answer 16

must have SA authorization

Question 17

e.g. Schrems case

Answer 17

• “Safe Harbour Privacy principles” (= scheme for transfer of pd btw EU & US)
• invalid (Snowden reference): US not ensure adequate protection of pd against surveillance activities by US public authorities
• replacement by “EU-US Privacy Shield” including:
• Data protection obligations on companies receiving pd from EU
• mechanism independent from US intelligence service & deals with complaints of individuals
• Annual joint review to monitor

Question 18

Schrems 2 case: new principles same flaws

Answer 18

• CJEU declared shield invalid
• but validity of SCC Decision while stricter requirements for SCC & BCR based transfers
• US not essentially equivalent levels of protection required by EU: not sufficiently limit powers of US authorities & lack actionable rights for EU subjects against US authorities

Question 19

Derogations

Answer 19

• no other tool -> 1 condition must fulfilled:
  1) Explicit consent from ds to transfer or necessary for…
  2) protect vital interest of ds or other person (ds incapable of consent)
  3) legal claims
  4) contract btw ds & dc or pre-contractual measures taken at ds request
  5) performance for contract in interest of ds btw dc & other person
  6) important reasons of public interest

Question 20

Risk assessment of transfers to 3rd countries (EDPB 01/2020)

Answer 20

1) Know transfer: map weather it is adequate, relevant & limited to what is necessary for purpose
2) Verify transfer tool
3) Asses 3rd country law / practice: anything reducing effectiveness of tools safeguards?
4) Identify & adopt supplementary measures required by 3 (ensure level of protection same as in EU)
5) Implement 4
6) Re-evaluate & monitor

Question 21

Risk assessment of transfers to 3rd countries (EDPB 01/2020) - step 4 potential supplementary measures

Answer 21

• Pseudonymization
• No sensitive pd
• Shorter deletion deadlines
• Restricted access to retransmission
• Data-minimization
• Encryption
• Extended notification