All personal data transfers to third countries or international organisations follow the rules set in the GDPR, in Chapter V. In the case of an adequacy decision, data transfers do not require specific authorization, otherwise the controller or processor must “provide appropriate safeguards” before transferring data to third countries.
Transfer of personal data to third countries or international organisations can take place after the European Commission has assessed and concluded that the third country or the international organisation has an adequate level of protection of personal data. The rules for adequacy assessment are laid out in Art. 45 (2) of the GDPR. The Commission shall consider:
- the rule of law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, professional rules and security measures, case law;
- the existence and effective functioning of one or more independent supervisory authorities responsible for ensuring and enforcing compliance with national data protection law;
- the international commitments and obligations to the third countries or international organisations concerned has entered into force, in particular in relation to the protection of personal data.
Please visit: https://gdpr-info.eu/art-45-gdpr/
There is a list of third countries considered by the European Commission to be countries that generally, either via legislation or other measures, ensure an adequate level of protection. Data transfers to these counties are not subject to authorization (Decision DPA 28/2007).
EU Contractual Clauses
To help controllers, the European Commission has provided standard contractual clauses that are automatically considered as sufficient safeguards in light of the applicable data protection rules.
When using the Commission’s standard contractual clauses, the controller should begin by determining whether the transfer is to a processor or a controller established in a third country, as separate standard contractual clauses exist for these types of transfers.
Alternatively, the companies can propose their own contractual clauses with sufficient data protection safeguards. These clauses must be submitted to the National Data Protection Agency according to article 46.3.a) of the GDPR and subsequently these clauses will have to be approved by the European Data Protection Board in accordance with article 46.4 of the GDPR through the consistency mechanism.
Standard contractual clauses are subject to the authorization procedure.
Please visit: Decision of the DPA 28/2007 – https://www.dataprotection.ro/servlet/ViewDocument?id=192
Binding Corporate Rules (BCRS)
The GDPR places binding corporate rules on a statutory footing. It will be possible to obtain authorisation from one supervisory authority that will cover transfers from anywhere in the EU.
In Art. 47 (2) of the GDPR are laid out the minimum requirements, which BCRs should specify:
- the structure of the group of undertakings/enterprises engaged in the joint activity and the contact details of each member
- the full details of the data transfers
- the third country or countries in question
- their legally binding nature
- the application of the GDPR
- the rights of data subjects regarding the processing and the means to exercise those rights
- the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union, unless they can prove they are not connected with the incident in the first place
- the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
- the cooperation mechanism with the supervisory authority
- the mechanisms for reporting to the competent supervisory authority any legal requirements originating in the third country or countries and which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules
- the appropriate data protection training to personnel having permanent or regular access to personal data
Please visit: https://gdpr-info.eu/art-47-gdpr/
The Romanian DPA issued Decision 41/2014 establishing a model of authorization for the transfer abroad of personal data based on binding corporate rules. An authorization by the DPA of a transfer abroad under BCR does not exempt the controller from meeting other obligations imposed under the personal data legislation.
Decision no. 41/2014 regarding the establishment of an authorization model for the transfer of personal data under Binding Corporate Rules (BCR was repealed by Decision no. 99/2018 regarding the termination of the applicability of certain normative acts issued in accordance with Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
Please visit: Decision of the DPA 99/2018 – https://www.dataprotection.ro/servlet/ViewDocument?id=1497
Exceptions Established by Law
According to Chapter 3 of the GDPR, there are some exception according to which international data transfers can be made without adequate protection:
- The data subject has given his unambiguous consent to the proposed transfer; or
- The transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request; or
- The transfer is necessary for the conclusion or performance of a contract concluded in the data subject’s interests between the data controller and a third party; or
- The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
- The transfer is necessary to protect the data subject’s vital interests; or
- The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in that particular case; or
- the transfer is necessary for the prevention, investigation and prosecution of criminal offences and the execution of sentences or the protection of persons charged, witnesses or other persons in criminal proceedings; or
- the transfer is necessary to safeguard public security, the defense of the Realm or national security.
Please visit: The European Data Protection Board Guidelines on derogations applicable to international transfers (2/2018).