On 19 March 2019, the first decision of the European Commission issued on the basis of the General Data Protection Regulation ("GDPR"), stating that the third country, i.e. Japan, ensures an adequate level of protection of personal data, was published in the Official Journal of the European Union. This is the only decision issued on the basis of the GDPR so far, therefore we want to present you with a brief summary of legal grounds that allow the transfer of personal data outside the European Economic Area ("EEA").
At the beginning, let's explain what "transfer" of personal data is.
The GDPR does not contain the definition of this concept, but we can undoubtedly indicate that this is one of the personal data processing operations. The term “transfer” only appears in the context of the processing of personal data going beyond the EEA. It is therefore all operations on personal data, as a result of which these data are sent to third countries (i.e. outside the EEA) [i]. The method of data transmission is irrelevant, i.e. whether data is sent electronically or on a data carrier, or whether data is transmitted on the basis of a contract or not. The transfer will also take place, in principle, when personal data will not be recorded in a third country, but only displayed e.g. on a computer screen. In general, therefore, it is every case where personal data crosses the borders of the EEA.
We will deal with the transfer of personal data to a third country, for example, if it is made available to the controller in a third country, as well as engaging a processor with a registered office in a third country. It should be noted that even if personal data is transferred within a single organizational structure, i.e. between organizational units of the same legal entity located in the EEA and in a third country, the provisions of the GDPR regarding the transfer of personal data to a third country will also apply.
The transmission of personal data within the European Union, or more broadly, within the EEA, involves the same obligations as sharing or entrusting personal data to another entity within the same Member State. However, if the data is transferred to a third country (i.e. a country outside the EEA) or an international organization, the provider of personal data must meet more requirements.
As a rule, in order to be able to process personal data, there must be one of the legal bases indicated in art. 6 sec. 1 of the GDPR. Thus, the legal basis for data processing can be, among others:
i. the consent of the person whose data is processed,
ii. the necessity to perform the contract to which the data subject is party;
iii. the necessity to fulfill a legal obligation,
iv. a legitimate interest pursued by the controller or a third party.
We will not discuss the individual legal basis for the processing of personal data in a broader sense, as it is quite extensive material, and our current article deals with the basis for the transfer of personal data outside the EEA.
Importantly, when we transmit data outside the EEA, in addition to the need to prove the existence of one of the legal bases for data processing indicated in article 6 sec. 1 of the GDPR, we must also demonstrate the existence of an appropriate legal basis allowing the transfer of personal data to a third country.
What can be the basis for this?
1. An adequacy decision issued by the Commission.
When we want to transfer personal data to a non-EEA entity, we should first check whether a decision has been issued by the Commission stating that the third country, territory or specific sector(s) in the third country or international organization provide so-called adequate level of protection. What does this concept mean? There is no definition in the GDPR. Generally speaking, it is the protection of personal data provided by a third country or international organization at a level similar to European Union standards. When assessing whether a country provides such protection, the Commission shall take into account, in particular, the following: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, rules on the protection of personal data, existence of effective and enforceable rights of data subjects, existence and effective action at least one independent supervisory body in a third country, having the obligation to ensure and enforce compliance with the provisions on the protection of personal data [ii].
If a decision declaring an adequate level of protection has been issued, we do not need to obtain any additional authorization to transfer data outside the EEA. When transferring, we simply refer to the decision of the European Commission.
As it was mentioned in the introduction, only one such decision concerning Japan has been issued since the entry into force of the GDPR.
Does this mean that personal data can only be transmitted to Japan based on the Commission's decision? Well, no. Where previous provisions on the protection of personal data were in force [iii], the Commission was also entitled to issue decisions establishing an adequate level of protection. According to the GDPR, all decisions adopted under already repealed provisions remain in force until they are amended, replaced or repealed by a Commission’s decision adopted on the basis of the GDPR.
Currently, including Japan, there are 13 such countries (territories) [iv]. However, before any transfer of personal data to a third country, it is necessary to look into the decisions issued to check whether any type of transfer of personal data outside the EEA is possible or if there are restrictions (e.g. the decision issued in relation to Israel applies only to automated processing data). For ease of reference, we have a list of third countries for which Commission decisions have been issued, together with a reference to these acts and comments on the scope of each decision. The list is current as of April 25th, 2019. When changes appear on the list, we will immediately introduce the update to you.
You can download a table with a list of third countries free of charge at the end of this article.
2. Standard data protection clauses.
If there is no adequacy decision of the European Commission regarding the transfer of data to a specific country, you should look for other legal bases. Typically, in the relations between entrepreneurs, such an instrument may be standard data protection clauses adopted by the European Commission (so-called standard contractual clauses). What is that?
Simply speaking, these are model contracts adopted by the European Commission, which can be used when transferring personal data to a controller or processor who is based in a third country. As a rule, the provisions contained in standard contractual clauses cannot be changed. The essence of the parties’ rights and obligations, and above all data protection guarantees, cannot be reduced. However, you can place additional obligations in the clauses that increase the standards of personal data protection.
The standard contractual clauses were adopted before the entry into force of the GDPR, but until the Commission issued new clauses, the existing documents can be used. Two sets of clauses relate to the relationship between data controllers, and one of them for the transfer of data by the controller to a processor located in a third country. For the time being, no standard clauses have been issued that could be concluded between a processor that is established in the EEA and a further processing entity established in a third country. We hope that this year the guidelines of the European Data Protection Board will appear, including abovementioned issues. For the time being, the view is that in this situation, the EEA processor could conclude a contract with a further processor on behalf of a controller, using standard contractual clauses foreseen for the relationship between controller in the EEA and a processor outside the EEA.
You can find the standard contractual clauses adopted by the Commission here:
3. Transfer subject to other relevant safeguards.
In addition to the use of standard contractual clauses adopted by the European Commission, the transfer of personal data to third countries may take place, among others, when they are applied:
i. binding corporate rules, approved by the competent supervisory authority (“BCR”) [v],
ii. standard data protection clauses adopted by the supervisory authority and approved by the European Commission [vi],
iii. approved in accordance with article 40 of the GDPR code of conduct [vii],
iv. approved in accordance with article 42 of the GDPR certification mechanism [viii],
v. contractual clauses between the controller or the processor and the controller, or processor or recipient of personal data in a third country or international organization, subject to the authorization of the competent supervisory authority,
vi. other safeguards indicated in art. 46 of the GDPR [ix].
4. Exceptions in special situations.
When there is no adequacy decision of the European Commission or other appropriate safeguards indicated in art. 46 of the GDPR, a single or repeated transfer of data to a third country or international organization is possible exceptionally provided one of the conditions indicated in art. 49 sec. 1 of the GDPR. The legal bases for the transfer of personal data to third countries set out in that provision should be applied in specific situations and should be interpreted as exceptions.
In the absence of the aforementioned safeguards, the possible application for entrepreneurs will most often have [x]:
i. explicit and voluntary consent of the data subject, provided that he has been informed of the potential risks that may be associated with the transfer of data in the absence of adequate safeguards,
ii. the transfer is necessary for the performance of the contract between the data subject and the controller,
iii. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,
iv. the transfer is necessary for the establishment, exercise or defense of legal claims.
It should be emphasized that in the case of transfer associated with a contract or claim, it may only be sporadic.
A special exception is the possibility for the controller to transfer data when it is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The transfer may in this case take place when it is not repeatable and it concerns a limited number of data subjects. Additionally, it is necessary to inform the supervisory authority about the transfer. Detailed requirements are specified in the second paragraph of article 49 sec. 1 of the GDPR.
A more detailed discussion of all the above-mentioned legal grounds for the transfer of personal data to third countries or international organizations would be a very extensive study and, unfortunately, the volume of the article does not allow us to discuss all issues. However, if you are interested in more detailed information about this topic, please contact us via our contact form: https://www.esb-legal.pl/en/contact. In the next article we will be happy to explain your doubts.
April 25th, 2019, attorney-at-law Agnieszka Rapcewicz
[i] The provisions of the GDPR also apply to the EEA Member States, as the GDPR has been included in the Agreement on the European Economic Area. More information can be found here: https://www.efta.int/eea-lex/32016R0679
[ii] A wider list of circumstances that the Commission must take into account when determining whether a degree of protection is appropriate can be found in article 46 sec. 2 of the GDPR.
[iii] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, art. 25 sec. 6
[iv] To be precise - in the case of the Privacy Shield, the decision does not apply to a third country, that is the USA, but a Privacy Shield program run in that country (and entities that have been approved under this program). For simplicity, however, we point out to the US among countries for which the Commission has found an adequate level of protection.
[v] It is a personal data protection policy that is used by a controller or processor who owns an organizational unit in the territory of a Member State, with one or multiple transfers of personal data to a controller or processor in at least one third country within a group of enterprises or a group of undertakings that conduct joint economic activities .
[vi] For example, the President of the Office for the Protection of Personal Data.
[vii] The code must contain binding and enforceable obligations for the controller or processor in the third country to apply appropriate safeguards, including in relation to the rights of the data subjects. The codes are designed as a tool to help in the proper application of the GDPR, taking into account the specificity of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
[viii] The certification mechanism must include binding and enforceable obligations for the controller or processor in the third country to apply appropriate safeguards, including in relation to the rights of data subjects. Certification mechanisms and quality marks and markings in the field of personal data protection are to prove compliance with the GDPR processing operations carried out by controllers and processors. At the same time, the specific needs of micro, small and medium enterprises should be taken into account.
[ix] It is a legally binding and enforceable instrument between public authorities or entities and provisions of administrative arrangements between public authorities or entities that provide for enforceable and effective rights of data subjects (subject to authorization by the competent supervisory authority).
[x] The full catalog of exceptions is contained in art. 49 sec. 1 of the GDPR.