Data transfers to non-EU countries under the new GDPR AMCHAM & BCC Lunch with CNPD: “Data Protection” Streff Data Protection Services, Windhof Arnaud Habran 28 February 2018 Legal Department

Your obligations as controller or processor under GDPR Data quality principles Record of processing activities Security and personal data breach notifications Data protection impact assessment (DPIA)* Data Protection Officer Processors Transfers to third countries The rights of data subjects Internal governance (accountability)

Data quality principles Accountability Accuracy Lawfulness, fairness and transparency Storage limitation Purpose limitation Integrity and confidentiality Data minimisation

Processing (inside and outside the E.U.) Obligations of the E.U. controller: Choose a sufficiently qualified processor and always keep control of the processing activities Maintain oversight and control over sub-processing Conclude a written contract with each processor Transfers inside the E.U. (and where adequacy decisions): amongst others, The processors only processes the personal data on documented instructions of the controller The processor must assist the controller (e.g. information and transparency) in being compliant with the requirements of the GDPR (e.g. purpose limitation, transfers to third countries) Transfers outside of the E.U.  see next slides

Processing (inside the E.U.) Obligations of the E.U. processor: Only process the personal data on documented instructions of the controller Observe the contract concluded with the controller If a processor processes the data for other purposes, the processor becomes the controller for that processing activity Assist the controller Information and transparency Own obligations under the GDPR, amongst others: Purpose limitation principle Transfers of personal data to third countries Sub-processing activies

Transfers to third parties (inside and outside the E.U.) Purpose limitation principle Transparency and information of the data subject: Recipients or categories of recipients of the personal data, if any (Where applicable) Transfer of personal data to a recipient in a third country or international organisation Existence or absence of an adequacy decision by the COM Reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available

Transfers to third parties (inside and outside the E.U.) Principle = Free flow of data within the E.U./E.E.A.  No additional obligations

Transfers to third countries (outside the E.U.) Adequacy decision (1) If country is outside the E.U./E.E.A. Transfer possible, if Adequacy Decision by the European Commission (“white list”): Andorra Jersey Argentina New Zealand Faeroe Islands State of Israel Guernsey Switzerland Isle of Man Uruguay

Transfers to third countries (outside the E.U.) Adequacy decision (2) Countries with an adequate level of protection in specific cases only: Canada  processing operations subject to the Canadian Personal Information Protection and Electronic Documentation Act ( = private companies) United States of America  transfers to U.S. companies registered with the EU-U.S. Privacy Shield Framework

Transfers to third countries (outside the E.U.) Adequacy decision (3) In the future, possible new adequacy decisions (for the whole country or partial adequacy) for: Japan South Korea United Kingdom (in case of Brexit)?

Transfers to third countries (outside the E.U.) Adequate safeguards (1) If no adequacy decision: Adequate Safeguards (without autorisation from the CNPD) : Standard data protection clauses (= model clauses) Adopted by the Commission (C-to-C and C-to-P) Adopted by a supervisory authority (e.g. CNPD) and approved by the European Commission Binding corporate rules (“BCR”) Approved code of conduct (+ binding and enforceable commitments of the DC/DP incl. data subjects rights) Approved certification mechanism (+ binding and enforceable commitments of the DC/DP incl. data subjects rights) Legally binding and enforceable instrument between public authorities or bodies

Transfers to third countries (outside the E.U.) Adequate safeguards (2) If no adequacy decision: Adequate Safeguards subject to the prior authorisation of the CNPD: Contractual clauses (= « ad hoc » clauses) Provisions to be inserted into administrative arrangements between public authorities

Transfers to third countries (outside the E.U.) Derogations (1) If no adequate safeguard is possible Use of derogations: consent of the data subject (incl. information on possible risks of transfers due to the absence of an adequacy decision and appropriate safeguards) transfer is necessary for the performance of a contract between the data subject and the controller transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject transfer is necessary for important reasons of public interest transfer is necessary for establishment, exercise or defense of legal claims transfer is necessary in order to protect the vital interests of the data subject or of other persons (+impossibility for data subject to give consent) transfer made from a register intended to provide information to the public + which is open to consultation either + conditions for consultation fulfilled Document why you chose to use derogations instead of appropriate safeguards

Transfers to third countries (outside the E.U.) Derogations (2) If none of those derogations apply: “Last resort” derogation = “legitimate interests” if : transfer could not be based on adequate safeguards or any other derogations AND transfer not repetitive AND transfer concerns only a limited number of data subjects AND transfer necessary for the purposes of compelling legitimate interests pursued by the controller AND those legitimate interests are not overridden by the interests or rights and freedoms of the data subject AND the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data AND the controller informed the CNPD of the transfer AND the controller informed the data subject of the transfer and on the compelling legitimate interests pursued

Transfers to third countries (outside the E.U.) - Conclusion Transfer to an E.U. / E.E.A. country Adequacy decision Standard data protection clauses Binding corporate rules (BCR) Approved code of conduct / certifications scheme + binding and enforceable commitments Binding and enforceable instrument between public bodies “Ad hoc” clauses + authorization CNPD Provisions in administrative arrangements + authorization CNPD Appropriate safeguards Informed consent Performance of a contract Interest of the data subject Public interest Defense of legal claims Vital interests of the data subject Transfer from a public register Derogations Legitimate interests

Transfers from third countries (to the E.U.) GDPR applies if a controller or processor is located in Luxembourg / in the E.U. No need for additional guarantees N.B. : GDPR applies if a controller or processor is located outside the E.U., where the processing activities are related to: the offering of goods or services to data subjects in the E.U. OR the monitoring of data subjects’ behavior in the E.U.

Data transfers to non-EU countries under the new GDPR AMCHAM & BCC Lunch with CNPD: “Data Protection” Streff Data Protection Services, Windhof Arnaud Habran 28 February 2018 Legal Department