GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Suitable Recitals
(111) Exceptions for certain cases of international transfers; (112) Data transfers due to important reasons of public interest; (113) Transfers qualified as not repetitive and that only concern a limited number of data subjects; (114) Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision; (115) Rules in third countries contrary to the Regulation.
COMMENTARY:
The derogations provided for by the Directive have been maintained and developed in Article 49 of the Regulation. Subject to several adaptations, the derogations already covered by Directive are set out here, such as:
The explicit consent of the data subject for the transfer (a). Since this derogation is based on consent, the commented provision requires the controller to obtain the “explicit” consent of the data subject to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
When the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (b);
When the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (c);
When the transfer is necessary for important reasons of public interest (d). Recital
112 provides several examples of data transfer needed for important reasons of general interest: in case of international exchange of data between competition authorities, tax or customs administrations, between financial supervisory authorities, between services responsible for matters of social security or public health. In this regard, article 49 (4) specifies that the general interest justifying the transfer must be recognized by the EU law or the national law of the Member State of the controller;
when the transfer is necessary for the establishment, exercise or defence of legal claims (e);
When the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (f). The derogation relating to the vital interests of the data subject, now also seeks the protection of vital interest of others.
When the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. The consultation conditions must be met in compliance with the Union or Member State law (g). Paragraph 2 restricts the data that can be subject of a transfer in this case. Such transfer shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Finally, where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
The essential innovation of Article 49 is the introduction of a new derogation based on the need for the transfer for the purpose of compelling legitimate interests pursued by the controller or the processor; resorting to this derogation is however strictly controlled.
To invoke this derogation, the transfer
Cannot be based on Articles 45 (adequate level of protection) or 46 (sufficient safeguards) including those related to the binding corporate rules (Article 47) or any other derogations referred to in Articles 49 (1), (a) to (f);
Must not be repetitive, concerns only a limited number of data subjects, which means to take into consideration the amount of personal data and the number of data subjects and to consider whether the transfer is carried out on an occasional or regular basis.
Must be necessary in the pursuit of “incontestable” legitimate interests of the controller which are not overridden by the interests or rights and freedoms of the data subject;
The controller or the processor has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. This means that the controller should take into consideration the nature of the data, the purpose and duration of envisaged processing as well as the situation in the country of origin, in the third country and the country of final destination and provide appropriate safeguards to protect fundamental rights and freedoms of natural persons. The final version of the regulation adds that the controller or the processor must document the above assessment and the safeguards taken accordingly (6).
The controller must not only notify the supervisory authority of said transfer but must also provide additional information to the data subjects regarding the compelling interests that justify the transfer of their data, in addition to the information referred to in articles 13 and 14.
It should be noted that the derogations based on the consent of the data subject, on the contractual need (that is, the exceptions referred to in articles 49 (1) (b) and (c), as well as on compelling legitimate interests of the controller, are not applicable to the activities of the public authorities in the exercise of their prerogative of public power (paragraph 3).
Finally, according to paragraph 5, in the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organization.
Article 26 of the Directive formulated six exceptions to the prohibition to transfer data to a third country not providing an adequate level of protection. They addressed limited cases presenting risks normally mitigated for the data subject, taking account of the primacy of the public interest or that of the data subject over data protection. According to the Article 29 Working Party, resorting to these exemptions should be the ultimate solution only, when no other provision was made to allow the transfer (G29, Working Document of 24 July 1998, Transfers of Personal Data to Third Countries: Application of Articles 25 and 26 of the Directive on the Data Protection, WP 12).
These exemptions addressed the following cases: when the data subject had given his explicit consent to the transfer; when the transfer was necessary in the context of a contract or a legal action; when the protection of an important public interest demanded it; or for recognition, exercise or defence of a legal right, for example in the case of international exchange of data between tax or customs administrations or between services competent for social security; when the transfer was necessary to protect the vital interest of the data subject, or when the transfer was made from a register established by law and intended to be viewed by the public or by persons who can prove a legitimate interest.
These exceptions were subject to a strict interpretation, as advocated by the Article 29 Working Party in its Working Paper No. 114 on a common interpretation of the provisions of Article 26 (1) of Directive 95/46/EC of 24 October 1995 adopted on 25 November 2005, as after their transfer, these have no protection.
Article 49 contains the traditional exceptions, already implemented by the Directive. The provision, in admitting an exception to the prohibition of transfer on the basis of indisputable legitimate interests of the controller, is also aimed to facilitate the admission of exceptional transfers to third countries without an adequate level of protection, while safeguarding the rights of the data subject. It could be particularly useful in the event that the data is transferred to a processor outside the EU.
Art. 50 GDPR International cooperation for the protection of personal data
1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
Develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
Provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
Promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
Suitable Recitals
Cooperation among supervisory authorities.
COMMENTARY:
In relation to third countries and international organizations, Article 50 requires the Commission and the supervisory authorities to take certain measures in order to facilitate the application of the data protection principles. This provision takes into account the recommendation of the Organization for Economic Cooperation and Development (OECD) of 12th June 2007 on the cross-border cooperation in the application of the laws protecting privacy.
These measures are intended to develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data (paragraph 1 (a)); They should then provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms (paragraph 1 (b));
These mechanisms are intended, on the one hand, to engage the relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data (paragraph 1 (c)); and, on the other hand, to promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries (paragraph 1 (d)).
The Directive did not envisage the possibility of cooperation between the Member States and non-Union third countries or international organizations.
* * *
CHAPTER 6: INDEPENDENT SUPERVISORY AUTHORITIESSection 1: Independent status
Art. 51 GDPR Supervisory Authority
Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).
Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.
Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority, which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.
Each Member State shall notify to the Commission the provisions of its law, which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Suitable Recitals
Establishment of supervisory authorities; (118) Monitoring of the supervisory authorities; (119) Organisation of several supervisory authorities of a Member State; (120) Features of supervisory authorities.
COMMENTARY:
The GDPR
As provided for in the Directive, Article 51 requires the Member States to set up one or several independent supervisory authorities responsible for the monitoring of the application of the Regulation.
The supervisory authority is defined in article 4 (21), as "an independent public authority, which is established by a Member State pursuant to Article 51”. The final version of the Regulation specifies that these authorities are intended, on the one hand, to protect the fundamental rights and freedoms of natural persons in relation to processing, and on the other, facilitate the free flow of personal data within the Union.
According to paragraph 2, each supervisory authority shall contribute to the consistent application of the Regulations throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.
It should be noted that the Regulation expressly allows the Member States to create several control authorities. In this case, the Member State shall designate the supervisory authority, which is to represent those authorities on the European Data Protection Board. The Member State shall also set out the mechanism to ensure compliance by other authorities with the rules relating to the consistency mechanism referred to in Article 63.
All the provisions adopted by a Member State under Chapter VI must be notified to the Commission no later than two years after the entry into force of the Regulation, that is, the 20th day following its publication in the Official Journal of the European Union (Art. 99). Any
Comments (0)