International transfers Flashcards
(33 cards)
Which European body is responsible for making adequacy decisions?
The European Commission
How often are adequacy decisions reviewed?
Every four years
Which countries are adequacy decisions in place with?
Argentina Uruguay Faroe Islands Isle of Mann Guernsey and Jersey Andorra Switzerland Israel Japan (only covers private sector organisations) New Zealand Also USA (under privacy shield) Canada (data protected by PIPEDA only, which is applicable to commercial organisations. Adequacy doesn’t cover all all forms of personal data)
How often does Privacy Shield certification need to be renewed?
Annually
If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, is this a restricted transfer?
you should treat this as a restricted transfer (ICO)
If you want to transfer personal data to a US organisation under the Privacy Shield, what are the two things you need to check?
- Check on the Privacy Shield list to see whether the organisation has a current certification
- Make sure the certification covers the type of data you want to transfer.
What are the options are available if you want to make a restricted transfer (in order of preference)
- Adequacy decisions
- Appropriate safeguards (which are set out in the GDPR)
- Derogations
If none of these apply, then the transfer would be in breach of GDPR
What are the 3 things you’re obliged to tell the data subject about data transfers?
- Intent to transfer data internationally
- Existence (or lack of) an adequacy decision
- Safeguards that are in place
What are “appropriate safeguards”?
They are legal tools designed to ensure recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
Mechanisms that can be used to recipients to commit to protecting personal data and facilitate ongoing, systematic cross-border transfers
Give some examples of appropriate safeguards when it comes to international transfers of data outside the EU
- Binding corporate rules
- Standard contractual clauses
- Approved codes of conduct and certification mechanisms
- Ad hoc contractual clauses
- Reliance on international agreements
What are the three over-arching options for international transfers under the GDPR?
- Adequacy decisions
- International safeguards
- Derogations
Before you even think about data transfers, what do you need to make sure you have?
A legal basis for processing the data
If you’re transferring data internationally, what are you obliged to tell the data subject(s)?
- Notify them of your intent to transfer personal data internationally
- Existence of an adequacy decision
- what Safeguards are in place
As well as territories, what else can adequacy decisions apply to?
Under GDPR, adequacy decisions can also apply to sectors (e.g. regulated financial or healthcare sectors)
And
International organisations
Which European body is responsible for making adequacy decisions?
The European Commission
How often are adequacy decisions made under the Data Protection Directive reviewed?
Decisions made under the Data Protection Directive will remain in force until amended, replaced or repealed
What factors must the European Commission take into account when making adequacy decisions?
Respect of the rule of law
Access to justice
International human rights standards
Law (inc case law)
Effective and enforceable rights for individuals (inc judicial redress)
Data protection rules, professional rules and security measures (inc around onward transfers)
Other international commitments and obligations
Is EU-US Privacy Shield self-certified?
Yes
What recourse mechanisms does Privacy Shield offer?
- Internal complaint process
- Independent dispute resolution provider
- Department of Commerce or Federal Trade Commission
- Binding arbitration
What are “appropriate safeguards”?
They’re legal tools designed to ensure that recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
What are binding corporate rules?
BCR are a form of appropriate safeguard
they’re designed to allow large, multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company.
They have to be signed off by a competent supervisory authority and are legally binding
They confer enforceable rights on data subjects
What are standard contractual clauses also known as?
Model clauses
They are a form of appropriate safeguard
They are a standard form which is non-negotiable
What is most commonly used tool for appropriate safeguards?
Standard contractual clauses (aka model clauses)
What must ad hoc contractual clauses have if they are to be used as a tool for delivering Appropriate Safeguards?
They must have supervisory authority authorisation
