IAPP CIPM – International Transfers and DPO
Hi guys. In this lesson, we will discuss mandatory and voluntary data protection officers, or DPOs, under Article 37. The GDPR specifies that a DPO is required to be appointed by a controller or processor in the following situations: when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. The controller’s or processor’s core activities are processing operations, which by definition necessitate regular and systematic monitoring of data subjects on a large scale. The controller’s or processor’s core activities include processing special categories of data on a large scale in accordance with Article Nine and personal data relating to criminal convictions and offences in accordance with Article Ten.
The Working Party 29 has published guidance to further explain these requirements. All public authorities will be expected to designate a DPO, but the Work Party 29 noted that private organisations sometimes carry out public tasks or exercise public authority in areas such as public transportation, utilities, infrastructure, housing, and broadcasting. These organisations are not required to nominate a DPO, yet they are encouraged to do so. Given that they have little choice; data subjects have little control over how their data is processed by such organizations. Core activities are those that encompass how an organisation makes money and activities supporting the money-making process.
The Working Party 29 cited the use of health data by hospitals as being part of their core activities of providing health care services, as opposed to support activities like human resources, accounting, or IT that all organisations would use. Large scale is not defined in the GDPR, but factors to consider include the number of data subjects involved, the volume of data, the different types of data, the permanence of the processing, and the geographic scope of the processing. Hospitals, banks, insurance companies, telecom providers, and ISPs were cited as large-scale processors in the normal course of their businesses. Regular and systematic monitoring is defined to include, but not be limited to, online tracking and profiling, including tracking used for behavioral advertising. The regular aspect can be ongoing, occurring at regular intervals or continuously, while the systematic aspect would take place as part of a prearranged plan to gather data to achieve a strategy.
Telecom services, email and data-driven marketing, profiling and scoring, location tracking, behaviour advertising, CCTV wearable, device monitoring, and smart connected devices, including those comprising the Internet of Things, are all considered to be undertaking regular and systematic monitoring. when an organisation does not strictly meet one of these mandated situations. The Working Party 29 believes it is still beneficial to voluntarily appoint a DPO given the assistance the role provides in complying with the new regulation and the significant increase in creditability with data subjects and data privacy assessments. In either case, the decision to have or not have a DPO must be documented, citing the factors listed above in determining whether the role is required or not, as well as whether voluntary designation will occur. The GDPR requires that the DPO designated voluntarily perform all of the same tasks and that controllers have the same obligations to the DPO as if the role were permanent.
Hi, guys. In this lesson, we’ll go over international transfers step by step with examples. I have received a lot of questions regarding how personal data flows between different countries, and I have decided to take an entire section and explain that till the end. We will also understand what the GDPR allows us in terms of safeguards or other separate procedures in order for our company or our data to flow in a manner that is considered compliant. So let’s start with a glance.
The GDPR primarily applies to controllers and processors located in the European Economic Area, which we will call the EEA from now on. And this is with some exceptions, for sure; individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EEA. On that basis, the GDPR restricts transfers of personal data outside the EEA or the protection of the GDPR unless the rights of the individuals in respect of their personal data are protected in another way or by one of a limited number of exceptions. A transfer of personal data outside the protection of GDP, which we refer to as a “restricted transfer,” most often involves a transfer from inside the European Union to a country outside the European Union. If you wish to do so, you should answer the following questions until you reach a provision that permits your restricted transfer: Are we planning to make a restricted transfer of personal data outside the European Union? Do we need to make a restricted transfer of personal data in order to meet our purposes? Has the European Union made an adequacy decision in relation to the country or territory where the receiver is located or a sector that covers the receiver?
And we will understand what an adequacy decision is during this course, and we will take this in a separate lesson. Have we put in place one of the appropriate safeguards referred to in the GDPR? And we’ll have a separate lesson on safeguards. And the safeguards are the most commonly encountered measures in these limited transfers. Does the exception provided in the GDPR apply? If yes, you can make the transfer. If not, you cannot make the transfer in accordance with the GDPR. If you reach the end without finding a provision that permits the restricted transfer, you will be unable to make that restricted transfer in accordance with the GDPR. As I said before, the save words will be the most important part that we will focus on because these are the measures that you need to take into consideration. And these are facts that I’ve seen mostly for small and medium-sized businesses, as well as large corporations. In brief, what are the restrictions on international transfers? The GDPR restricts the transfer of personal data to countries outside the existing European Union or international organizations.
These restrictions apply to all transfers, no matter the size or how often you carry them out. So are we making a restricted If the GDPR applies to your personal data processing, you are making a restricted transfer. The scope of GDPR is set out in Article 2. What is “processing” of personal data? And also Article 3, where the GDPR applies. Please see the guide’s section. What is personal data? In general, the GDPR applies if you are processing personal data in the European Union and may apply in specific circumstances if you are outside the European Union and processing personal data about individuals in the European Union. Second, you are sending personal data or making it accessible to a receiver to whom the GDPR does not apply, usually because they are located in a country outside the European Union. And third, the receiver is a separate organisation or individual. The receiver cannot be employed by you or by your company. It can be a company in the same group. So let’s take some examples. Example. One a UK.
The company uses a centralised human resources service in the United States provided by its parent company. The UK. A company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer. The second example is the United Kingdom. company sells holidays in Australia. It sends the personal data of customers who have bought the holidays to the hotels they have chosen in Australia in order to secure their bookings. This is again a restricted transfer, which does not mean the same as transit. If personal data is simply routed electronically through an EU country, but the transfer is from one EU country to another, it is not a restricted transfer. Let’s take an example. Personal data is transferred from a controller in France to a controller in Ireland, both countries in the European Union, via a server in Australia. There is no intention that the personal data will be accessed or manipulated while it is in Australia. Therefore, the transfer is only to Ireland.
You are making a restricted transfer if you collect information about individuals on paper that is not ordered or structured in any way and send this to a service company located outside of the European Union to put it into digital form or add it to a highly structured manual filling system relating to individuals. Let’s look at an example in this case. A UK insurance broker sends a set of notes about individual customers to a company in a non-EU country. These notes are handwritten and are not stored on a computer or in any particular order. The non-EU country adds the notes to a computerised customer management system. This is a restricted transfer. Also, putting personal data on a website will often result in a restricted transfer. The restricted transfer takes place when someone outside the European Union accesses personal data via the website. If you load personal data into a new caseserver, which is then available through a website, and you plan or anticipate that the website may be accessed from outside the European Union, you should treat this as a restricted transfer. The second question to ask is: is it to a country outside of the European Union? The economic European Union countries consist of the European Union member states and the EFTA states.
The European Union member states are listed in the first part of the slides, and the EEC states are Iceland, Norway, and Liechtenstein. The EEA Joint Committee has made the decision that the GDPR applies to those countries, and transfers to those countries are not restricted. Do we need to make a restricted transfer of personal data outside these countries? So before making a restricted transfer, you should consider whether you can achieve your goals without actually sending personal data. If you make the data anonymous so that it is never possible to identify individuals, even when combined with other information that is available to the recipient, it is not personal data. This means that the restrictions do not apply, and you are free to transfer anonymized data outside the European Union.
Hi guys. We’ll start with this lesson to learn how to make a restricted transfer in accordance with GDPR. First, we’ll speak about adequacy decisions, and you must work through the following questions that we will discuss in this lesson. And if, by the end, you are still unable to make the restricted transfer, then it will be in breach of the GDPR. And then you should take the next lesson to follow the safe words and understand if the safe words should be applied or are applied.
And then in the third lesson, we’ll discuss exceptions. If any of this is not happening, then the transfer is not in compliance with GDPR. So, has the European Union Commission made an adequacy decision about the country or international organisation that is making the restricted transfer? That’s the first and most important question you should ask yourself. So let’s see what exactly this adequacy decision is. This decision is a finding by the Commission that the legal framework in place in that country, territory, or sector provides adequate protection for individuals’ rights and freedoms with respect to their personal data. Adequacy decisions made prior to GDPR remain in force unless there is a further Commission decision that decides otherwise. The Commission plans to review these decisions at least once every four years. Think about that mostly as a certification made by the Commission for those specific countries.
So the Commission really trusts the legal environment, the legal framework that exists in that country, and it thinks it’s in accordance with the data protection principles of GDPR. So therefore, for the next four years, the certification is created by the Commission through this decision for that specific country. If it is covered by an adequacy decision, you may go ahead with the restricted transfer. Of course, you must still comply with the rest of the GDPR. All European Union Commission adequacy decisions to date also cover restricted transfers made from EEA states. The EEA Joint Committee will need to make a formal decision to adopt any future adequacy decisions of the European Union Commission for them to COVID the restricted transfers from the EEA states. Again, EEA stands for the European Economic Area. So what adequacy decisions have there been? As of July 2018, the Commission has made a full finding of adequacy for the following countries and territories: Andorra, Argentina, Gwen Se, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay.
The Commission has made partial findings of adequacy about Canada and the United States. The adequacy finding for Canada only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act, called Ppeeda. Not all data is subject to PEDRA. For more details, please see the Commission’s web page. Also, regarding the FAQs and more details about how this adequacy finding is set up, what includes the adequacy finding for the USA is only for personal data transfers covered by the European Union. US Privacy Shield framework The Privacy Shield places requirements on us. Companies certified by the scheme protect personal data and provide redress mechanisms for individuals. US. Government departments such as the Department of Commerce oversee certification under the scheme. If you want to transfer personal data to a US organisation under the Privacy Shield, you need to check on the Privacy Shield list to see whether the organisation has a current certification and make sure the certification covers the type of data you want to transfer.
We are expecting an adequate decision for Japan really soon. You can also view an up-to-date list of the countries that have an adequacy finding on the European Commission’s data protection website. You should check back regularly for any changes. And let me just show you the website, ecrup.edu, which is very practical. You can Google it. Regarding data transfers outside the European Union And as I said, this is the list. That it’s. You can see all of the details for these adequacy decisions by clicking on all of the countries. And if a new one is adopted, you will see it here in the list. There are also discussions with South Korea and Japan that will be launched, but they have not yet been published here. We are approaching September 5, but Japan will most likely be the first to be added to this list. Then the question that you may ask is, “What if there is no adequacy decision?” So what if you want to send or make an unrestricted transfer to a country that is not here on the list but is still a non-EU country? Then we’ll discuss this in the following lesson.
Hi guys. In this lesson, we’ll discuss the appropriate safeguards. So if there is no adequacy decision about the country, territory, or sector for your restricted transfer, you should then find out whether you can make the transfer subject to the appropriate safeguards that are listed in the GDPR. These appropriate safeguards ensure that both you and the receiver of the transfer are legally required to protect individuals’ rights and freedoms regarding their personal data. If it is covered by an appropriate safeguard, you may go ahead with the restricted transfer. Of course, you must still comply with the rest of the GDPR. There are seven safeguards, and we will analyses each and every one of them.
So first, a legally binding and enforceable instrument between public authorities or bodies You can make a restricted transfer if you are a public authority or body and you are transferring to another public authority or body and you have both signed a contract or another legal instrument that is legally binding and enforceable. This contract or instrument must include enforceable rights and effective remedies for individuals whose personal data is transferred. This is not an appropriate safeguard if either you or the receiver are a private body or an individual. If you are a public authority or body that does not have the power to enter into legally binding and enforceable arrangements, you may consider an administrative arrangement that includes enforceable and effective individual rights. Second, under binding corporate rules, you can make an unrestricted transfer if both you and the receiver have signed up to a group document called “Binding Corporate Rules,” or BCRs.
BCRs are an internal code of conduct operating within a multinational group that applies to restricted transfers of personal data from the group’s European Economic Area entities to non-EU Economic Area Group entities. This may be a corporate group or a group of undertakings or enterprises engaged in joint economic activity, such as franchises or joint ventures. You must submit BCRs for approval to an European Union supervisory authority in a European Union country where one of the companies is based. Usually this is where the European Head Office is located, but it does not need to be. We will discuss this in the following lesson about the lead supervisory authority. So let’s not focus now on this topic. Binding corporate rules ensure that all data transfers within a corporate group are safe.
BCRs are described under Article 47, which will be approved by the relevant DPA if they bind all the members of the corporate group, including their employees, give data subjects clear, enforceable rights related to the processing of their personal data, and specify, at a minimum, the following requirements: the BCRs must describe the structure and contact details for the group, the categories of personal data transferred, the legally binding nature of the rules, the application of general data protection principles, the rights of the data subjects, and how they exercise their rights The acceptance of liability by group members established in the European Union for rule breaches by group members is not established in the European Union. Information on the rules is provided to data subjects; the task of the data protection officer or privacy officer; complaint procedures; methods for ensuring compliance; how changes to these rules are reported; cooperation with the DPAs; and how some European laws might impact guarantees in the rules and data protection training. The Working Party 29 has revised the two sets of criteria to be used when submitting a BCR to a data privacy authority for approval.
These are for controllers inside the European Union who transfer data outside the Union to a controller or processor within the same corporate group as the original controller, and for controllers inside the European Union who transfer data outside the Union to a processor outside the same corporate group, and the processing is done within the processor’s corporate group. Your original controller and your original processor would be bound by a controller-processor agreement, as would any sub processors. The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed by the Article 29 working party in a series of working documents. This is a toolkit for organizations. The documents, including application forms and guidance, have all been revised and updated in line with GDPR, and you can usually find them on the DPA website. BCRs usually take too long—around eleven months at minimum—and also cost a lot of money. You will see BCRs at big multinational companies like HP, IBM, Microsoft, et cetera. Let’s speak about the third safeguard standard data protection clause adopted by the Commission.
You can make a restricted transfer if you and the receiver have entered into a contract incorporating standard data protection clauses adopted by the Commission. These are known as the “standard contractor clauses,” or “model clauses,” and there are four sets that the Commission adopted under the directive. They must be entered into by the data exporter, which is based in the European Union, and the data importer, which is outside the European Union. The clauses contain contractual obligations on the data exporter and the data importer and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. There are two sets of standard contractual clauses for restricting transfers between two controllers and two sets between a controller and the processor.
The earlier set of clauses between a controller and processor can no longer be used for new contracts and are only valid for contracts entered into prior to 2010. The Commission plans to update the existing standard contractual clauses for the GDPR. Until then, you can still enter into contracts that include the directive-based standard contractual clauses. Existing contracts incorporating standard contractual clauses can continue to be used for restricted transfers. If you are entering into a new contract, you must use the standard contractual clauses. You can include additional clauses on business-related issues, provided that they do not contradict the standard contractual clauses. For example, a family books a holiday in Australia with a UK travel company. The UK travel company sends details of the booking to the Australian hotel. Each company is a separate controller as it is processing the personal data for its own purposes and making its own decisions. The controller should be used to enforce standard contractual clauses in the contract between the UK travel company and the hotel. So let’s speak now about the Code of Conduct, certification, and clauses. Another three important safeguards are that you can make an unrestricted transfer if the recipient has agreed to a code of conduct approved by a supervisory authority.
The code of conduct must include appropriate safeguards to protect the rights of individuals whose personal data is transferred and that can be directly enforced. The GDPR endorses the use of Probe-approved codes of conduct to demonstrate compliance with its requirements. This option is newly introduced by the GDPR, and no approved codes of conduct are yet in use. You can make a restricted transfer if the receiver has a certification under a scheme approved by a supervisory authority. The certification scheme must include appropriate safeguards to protect the rights of individuals whose personal data are transferred and which can be directly enforced. Again, this option is newly introduced, and no approved certifications are in use. You can make a restricted transfer if you and the receiver have entered into a bespoke contract governing a specific restricted transfer that has been individually authorised by the supervisory authority of the country from which the personal data is exported.
At present, for example, the ICO in the UK is not authorising any such bespoke contracts until guidance has been produced by the European Data Protection Board, which has replaced the Article 29 Working Party that includes representatives from the data protection authorities of each EU Member State and each European Area State. It adopts guidelines for complying with the requirements of the GDPR, and the last safe word is the administrative arrangements between public authorities or bodies, which include enforceable and effective rights for the individuals whose personal data is transferred and which have been authorised by a supervisory authority. You can make a restricted transfer if you are a public authority or body making a transfer to one or more public authorities or bodies. At least one of the public authorities or bodies does not have the power to use any of the other appropriate safeguards. For example, it cannot enter into a binding contract.
You and the receiver have entered into an administrative arrangement, usually a document setting out appropriate safeguards regarding the personal data to be transferred and providing effective and enforceable rights for the individuals whose personal data is transferred, or the administrative arrangement has been individually authorised by the supervisory authority in the country from which you are making the restricted transfer. If the restricted transfer is to be made from the UK, the ICO must approve it. This is not an appropriate safeguard for restricted transfers between a public and a private body. Again, the option is newly introduced, and no approved administrative arrangements have yet been used. So what if the restricted transfer is not covered by the appropriate safeguards? You will. And the answer will be in the next lesson.
Popular posts
Recent Posts