readenglishbook.com » Law » GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗

Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali



1 ... 18 19 20 21 22 23 24 25 26 ... 71
Go to page:
under Directive 95/46, has been further developed by the CJEU (The Court of Justice of the European Union). At this point it is important to recall the standard set by the CJEU in Schemes, namely that while the "level of protection" in the third country must be "essentially equivalent" to that guaranteed in the EU, "the means to which that third country has recourse, in this connection, for the purpose of such a level of protection may differ from those employed within the EU". Therefore, the objective is not to mirror point by point the European legislation, but to establish the essential – core requirements of that legislation.

The purpose of adequacy decisions by the European Commission is to formally confirm with binding effects on Member States that the level of data protection in a third country or an international organization is essentially equivalent to the level of data protection in the European Union. Adequacy can be achieved through a combination of rights for the data subjects and obligations on those who process data, or who exercise control over such processing and supervision by independent bodies. However, data protection rules are only effective if they are enforceable and followed in practice. It is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third country or an international organization, but also the system in place to ensure the effectiveness of such rules. Efficient enforcement mechanisms are of paramount importance to the effectiveness of data protection rules.

Article 45, paragraph (2) of the GDPR, establishes the elements that the European Commission shall take into account when assessing the adequacy of the level of protection in a third country or international organization. For example, the Commission shall take into consideration the rule of law, respect for human rights and fundamental freedoms, relevant legislation, the existence and effective functioning of one or more independent supervisory authorities and the international commitments the third country or international organization has entered into.

It is therefore clear that any meaningful analysis of adequate protection must comprise the two basic elements: the content of the rules applicable and the means for ensuring their effective application. It is upon the European Commission to verify

on a regular basis - that the rules in place are effective in practice. The ‘core’ of data protection ‘content’ principles and ‘procedural/enforcement’ requirements, which could be seen as a minimum requirement for protection to be adequate, are derived from the EU Charter of Fundamental Rights and the GDPR. In addition,

consideration should also be given to other international agreements on data protection, e.g. Convention 108. Attention must also be paid to the legal framework for the access of public authorities to personal data.

General provisions regarding data protection and privacy in the third country are not sufficient. On the contrary, specific provisions addressing concrete needs for practically relevant aspects of the right to data protection must be included in the third country’s or international organization’s legal framework. These provisions have to be enforceable. According to Article 45 (4) of the GDPR it is upon the European Commission to monitor – on an ongoing basis - developments that could affect the functioning of an adequacy decision.

Article 45 (3) of the GDPR provides that a periodic review must take place at least every four years. This is, however, a general time frame which must be adjusted to each third country or international organization with an adequacy decision. Depending on the particular circumstances at hand, a shorter review cycle could be warranted. Also, incidents or other information about or changes in the legal framework in the third country or international organization in question might trigger the need for a review ahead of schedule. It also appears to be appropriate to have a first review of an entirely new adequacy decision rather soon and gradually adjust the review cycle depending on the outcome.

Given the mandate to provide the European Commission with an opinion on whether the third country, a territory or one or more specified sectors in this third country or an international organization, no longer ensures an adequate level of protection, the EDPB must, in due time, receive meaningful information regarding the monitoring of the relevant developments in that third country or international organization by the EU Commission. Hence, the EDPB should be kept informed of any review process and review mission in the third country or to the international organization. The EDPB would appreciate to be invited to participate in these review processes and missions.

It should also be noted that according to Article 45 (5) of the GDPR the European Commission has the right to repeal, amend or suspend existing adequacy decisions. The procedure to repeal, amend or suspend should consequently involve the EDPB by requesting its opinion pursuant Art. 70(1) (s).


Art. 46 GDPR Transfers subject to appropriate safeguards

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

A legally binding and enforceable instrument between public authorities or bodies;

Binding corporate rules in accordance with Article 47;

Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or

An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

Contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Suitable Recitals

(108) Appropriate safeguards; (109) Standard data protection clauses.

COMMENTARY:

Transfers on the Basis of “Appropriate Safeguards”

When the Directive was passed in 1995, it anticipated that many countries would not have the benefit of an adequacy decision. For such situations, it introduced the possibility of basing data transfers to non-EU countries on what came to be termed “appropriate safeguards” for individuals. “Appropriate safeguards”


referred to legally binding commitments by companies to provide adequate protection over individuals’ data, backed up by effective legal remedies for both affected individuals and European DPAs.

In data protection literature, these transfer mechanisms are often referred to as “alternative transfer tools” or “alternative transfer mechanisms”—an allusion to the fact that while a Commission adequacy decision may represent the ideal basis for international data transfers, “appropriate safeguards” remain as alternatives for companies in countries where no adequacy decision exists.

“Appropriate safeguard” mechanisms developed under the Directive for permitting transatlantic data transfers include model contractual clauses (“model clauses”) and binding corporate rules (BCRs). The GDPR expressly recognizes and permits both of these mechanisms. Additionally, the GDPR creates new transfer mechanisms in the form of approved codes of conduct and certifications. In the following, we will briefly sketch each alternative transfer mechanism, as well as address some of the practical considerations associated with implementing them under the GDPR.

1. Model Clauses

Model clauses have proven particularly useful for companies that engage in large and routine transfers of data from the EU to the U.S. Many large and recognizable

U.S. companies use model clauses as the basis of data flows from customers and subsidiaries because they are standardized and (by law) nonnegotiable, which make them advantageous for standard terms as well as for intra corporate arm’s-length agreements.

a. Model Clauses under the GDPR

Like the Directive, the GDPR continues to permit transfers on the basis of model clauses. To use the GDPR’s language, “standard data protection clauses adopted by the Commission” constitute “appropriate safeguards” that permit data transfers to non-EU countries even in the absence of an adequacy decision. Moreover, the GDPR expressly provides that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically speaking, this means that companies that have model clauses in place that predate the GDPR will be able to continue relying on them after the GDPR enters into force in May 2018.

Additionally, the GDPR expands the possibilities for model clauses in the future. In addition to the Commission’s already-existing model clauses, the GDPR now grants national DPAs the authority to adopt their own “standard data protection clauses.” To do so, DPAs must first present proposed model clauses to the Commission for approval. If the Commission approves, companies subject to that DPA’s jurisdiction can take advantage of its model clauses as a basis for international data transfers. This ground may be useful for the development of model clauses that accommodate specific sectorial needs, such as the cloud or travel sector.


On a helpful note, the GDPR codifies several practices that developed under the Directive among certain DPAs regarding model clauses. This ensures these practices will be available EU-wide and not merely in isolated jurisdictions:

To date, the Commission has adopted only controller-to-controller and controller-to-processor model clauses—but no model clauses for processor-to- processor (P2P) transfers. Although model P2P clauses have long been discussed in the EU, and the Article 29 Working Party even went so far as to draft (but not finalize) such clauses, model P2P clauses are presently a rarity in the EU. The GDPR permits both the Commission as well as national DPAs to adopt model P2P clauses.

Finally, the GDPR allows companies to draft ad hoc data transfer agreements and submit them to the competent DPA for approval. These can also be processor- to-processor clauses. It is expected that most DPAs will require ad hoc agreements to largely reflect the provisions of the model clauses (even if that is not a formal requirement).


Art. 47 GDPR Binding corporate rules

The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

Are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

Expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

fulfill the requirements laid down in paragraph 2.

The binding corporate rules referred to in paragraph 1 shall specify at least:

The structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

The data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

Their legally binding nature, both internally and externally;

The application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

The rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on

automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

The acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

How the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

The tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint- handling;

The complaint procedures;

The mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the

1 ... 18 19 20 21 22 23 24 25 26 ... 71
Go to page:

Free e-book «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment