European Data Protection Supervisor – The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper. Brussels, 14 July 2014.
“This paper provides guidance to EU institutions and bodies on how to interpret and apply the rules laid down in Regulation (EC) No 45/2001 in the context of international transfers of personal data. EU institutions and bodies increasingly need to transfer personal data to third countries or international organisations for different reasons, including cross-border cooperation and the use of transnational services. The “principle of adequate protection” (Article 9.1 and 9.2) has to be respected when transferring data internationally. This principle requires that the fundamental right to data protection is guaranteed even when personal information is transferred outside the EU or to bodies not subject to EU law. Controllers should analyse the level of protection provided by the recipient of the data – adequacy should be determined by the nature of the data protection rules applicable at the destination, and the means for ensuring their effective application (supervision and enforcement).In cases where the European Commission has adopted an “Adequacy Decision” (Article 9.5), it is not necessary to further analyse the need for adequacy. Transfers are also allowed when the controller develops specific mechanisms that provide for appropriate safeguards (Article 9.7). Finally, transfers without special safeguards are allowed in exceptional circumstances, provided that a specific derogation is applicable (Article 9.6). Where EU institutions or bodies are required by EU legislation or bilateral agreements to conduct international transfers, acting as controllers, and the country of destination has not been declared adequate by the Commission, the instrument should ideally provide for the appropriate measures necessary to ensure compliance with Article 9 of the Regulation. To this end, the EDPS should be consulted in accordance with Article 28.2 of the Regulation before this kind of legal instrument is adopted. The EDPS might intervene in a supervisory role, depending on how the transfers are conducted, particularly if there has been no EDPS consultation or prior authorisation, in cases where this could have been expected. We may also conduct inspections or use our enforcement powers, as appropriate.”
Sorry, comments are closed for this post.