Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data transfers to non-EU countries under the new GDPR

Published byArto Aaltonen Modified over 5 years ago

Similar presentations

Presentation on theme: "Data transfers to non-EU countries under the new GDPR"— Presentation transcript:

1 Data transfers to non-EU countries under the new GDPR
AMCHAM & BCC Lunch with CNPD: “Data Protection” Streff Data Protection Services, Windhof Arnaud Habran 28 February 2018 Legal Department

2 Your obligations as controller or processor under GDPR
Data quality principles Record of processing activities Security and personal data breach notifications Data protection impact assessment (DPIA)* Data Protection Officer Processors Transfers to third countries The rights of data subjects Internal governance (accountability)

3 Data quality principles
Accountability Accuracy Lawfulness, fairness and transparency Storage limitation Purpose limitation Integrity and confidentiality Data minimisation

4 Processing (inside and outside the E.U.)
Obligations of the E.U. controller: Choose a sufficiently qualified processor and always keep control of the processing activities Maintain oversight and control over sub-processing Conclude a written contract with each processor Transfers inside the E.U. (and where adequacy decisions): amongst others, The processors only processes the personal data on documented instructions of the controller The processor must assist the controller (e.g. information and transparency) in being compliant with the requirements of the GDPR (e.g. purpose limitation, transfers to third countries) Transfers outside of the E.U.  see next slides

5 Processing (inside the E.U.)
Obligations of the E.U. processor: Only process the personal data on documented instructions of the controller Observe the contract concluded with the controller If a processor processes the data for other purposes, the processor becomes the controller for that processing activity Assist the controller Information and transparency Own obligations under the GDPR, amongst others: Purpose limitation principle Transfers of personal data to third countries Sub-processing activies

6 Transfers to third parties (inside and outside the E.U.)
Purpose limitation principle Transparency and information of the data subject: Recipients or categories of recipients of the personal data, if any (Where applicable) Transfer of personal data to a recipient in a third country or international organisation Existence or absence of an adequacy decision by the COM Reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available

7 Transfers to third parties (inside and outside the E.U.)
Principle = Free flow of data within the E.U./E.E.A.  No additional obligations

8 Transfers to third countries (outside the E.U.)
Adequacy decision (1) If country is outside the E.U./E.E.A. Transfer possible, if Adequacy Decision by the European Commission (“white list”): Andorra Jersey Argentina New Zealand Faeroe Islands State of Israel Guernsey Switzerland Isle of Man Uruguay

9 Transfers to third countries (outside the E.U.)
Adequacy decision (2) Countries with an adequate level of protection in specific cases only: Canada  processing operations subject to the Canadian Personal Information Protection and Electronic Documentation Act ( = private companies) United States of America  transfers to U.S. companies registered with the EU-U.S. Privacy Shield Framework

10 Transfers to third countries (outside the E.U.)
Adequacy decision (3) In the future, possible new adequacy decisions (for the whole country or partial adequacy) for: Japan South Korea United Kingdom (in case of Brexit)?

11 Transfers to third countries (outside the E.U.)
Adequate safeguards (1) If no adequacy decision: Adequate Safeguards (without autorisation from the CNPD) : Standard data protection clauses (= model clauses) Adopted by the Commission (C-to-C and C-to-P) Adopted by a supervisory authority (e.g. CNPD) and approved by the European Commission Binding corporate rules (“BCR”) Approved code of conduct (+ binding and enforceable commitments of the DC/DP incl. data subjects rights) Approved certification mechanism (+ binding and enforceable commitments of the DC/DP incl. data subjects rights) Legally binding and enforceable instrument between public authorities or bodies

12 Transfers to third countries (outside the E.U.)
Adequate safeguards (2) If no adequacy decision: Adequate Safeguards subject to the prior authorisation of the CNPD: Contractual clauses (= « ad hoc » clauses) Provisions to be inserted into administrative arrangements between public authorities

13 Transfers to third countries (outside the E.U.)
Derogations (1) If no adequate safeguard is possible Use of derogations: consent of the data subject (incl. information on possible risks of transfers due to the absence of an adequacy decision and appropriate safeguards) transfer is necessary for the performance of a contract between the data subject and the controller transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject transfer is necessary for important reasons of public interest transfer is necessary for establishment, exercise or defense of legal claims transfer is necessary in order to protect the vital interests of the data subject or of other persons (+impossibility for data subject to give consent) transfer made from a register intended to provide information to the public + which is open to consultation either + conditions for consultation fulfilled Document why you chose to use derogations instead of appropriate safeguards

14 Transfers to third countries (outside the E.U.)
Derogations (2) If none of those derogations apply: “Last resort” derogation = “legitimate interests” if : transfer could not be based on adequate safeguards or any other derogations AND transfer not repetitive AND transfer concerns only a limited number of data subjects AND transfer necessary for the purposes of compelling legitimate interests pursued by the controller AND those legitimate interests are not overridden by the interests or rights and freedoms of the data subject AND the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data AND the controller informed the CNPD of the transfer AND the controller informed the data subject of the transfer and on the compelling legitimate interests pursued

15 Transfers to third countries (outside the E.U.) - Conclusion
Transfer to an E.U. / E.E.A. country Adequacy decision Standard data protection clauses Binding corporate rules (BCR) Approved code of conduct / certifications scheme + binding and enforceable commitments Binding and enforceable instrument between public bodies “Ad hoc” clauses + authorization CNPD Provisions in administrative arrangements + authorization CNPD Appropriate safeguards Informed consent Performance of a contract Interest of the data subject Public interest Defense of legal claims Vital interests of the data subject Transfer from a public register Derogations Legitimate interests

16 Transfers from third countries (to the E.U.)
GDPR applies if a controller or processor is located in Luxembourg / in the E.U. No need for additional guarantees N.B. : GDPR applies if a controller or processor is located outside the E.U., where the processing activities are related to: the offering of goods or services to data subjects in the E.U. OR the monitoring of data subjects’ behavior in the E.U.

17 Data transfers to non-EU countries under the new GDPR
AMCHAM & BCC Lunch with CNPD: “Data Protection” Streff Data Protection Services, Windhof Arnaud Habran 28 February 2018 Legal Department

18

Download ppt "Data transfers to non-EU countries under the new GDPR"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
EU-US Data Transfers for Payroll:

EU-US Data Transfers for Payroll:
Contracts – the small print

Contracts – the small print
Convention 108 and the EU framework: Differing while Converging

Convention 108 and the EU framework: Differing while Converging
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR

Similar presentations

Ads by Google