Following our journey started on previous articles related to the analysis of the main novelties and changes entered by the new General Data Protection Regulation (hereinafter, GDPR), at Belzuz Abogados, S.L.P. Commercial Law Department, as experts in this field and with a expertise that vouches for us regarding Data Protection, we have deemed important to comment in this article the main changes and novelties on the former regulation on international transfers of personal data to third countries or international organisations.
The GDPR rules in chapter 5, arts. 44-50, both inclusive, Transfers of personal data to third countries or international organisations
The most noticeable change entered by the GDPR is the removal of the general rule of obtaining authorisations from the Director of the Spanish Data Protection Agency (AEPD, in Spanish) for international transfers, except in certain exceptional cases. This authorisation prior to the international transfer of personal data was compulsory with the former regulation, except for:
1) when the State where the importer is offers an appropriate protection level;
2) when the data disclosure results from the application of treaties or conventions of which Spain is a party;
3) when the transfer is made with the aim of providing or requesting international judicial assistance;
4) when this is required for the purposes of preventive medicine, medical diagnosis or the management of health care services;
5) in the case of money transfers in accordance with its specific laws;
6) when the data subjects have given their unambiguous consent;
7) when the transfer is necessary for the performance of an agreement between the data subject and the data controller;
8) when the transfer is necessary to enter an agreement in interest of the data subject by the data controller or third parties;
9) when the transfer is necessary or legally required to safeguard the public interest.
10) when it is necessary for the establishment, exercise or defence of legal claims; or
11) when the transfer is made at the request of a party with legitimate interest, from a Public Registry and in accordance with its aim.
The Director of the Spanish Data Protection Agency gave the authorisation if there were enough safeguards by the recipient of the personal data (agreement in accordance with the standard clauses of European Commission decisions and Binding Corporate Rules or BCR). Currently, if the safeguards provided for in the GDPR (its catalogue has been significantly expanded with regards to the previous regulation) exist, the AEPD’s authorisation is not needed anymore.
Another novelty is that, in accordance with the GDPR, the data exporter may be not only the data controller but also the data processor.
Therefore, the current picture is as follows:
1) Transfers based on a decision on adequacy to third countries or international organisations when the Commission has decided that they guarantee an appropriate protection level. In the same vein, as the previous regime, they don’t require an authorisation.
So far, the States that, according to the Commission, guarantee an appropriate level are: Andorra, Argentina, Canada, United States (those entities certified under the Privacy Shield), Guernsey, Isle of Man, Faroe Islands, Jersey, New Zealand, Switzerland and Israel.
2) In the absence of a decision among the provided for above, international transfers of personal data may be made when the appropriate safeguards are provided, without requiring the authorization of the supervisory authority. The safeguards that are deemed appropriate (article 46 of GDPR) are: (i) those arising from a legally binding and enforceable instrument between authorities; (ii) binding corporate rules (BCR); (iii) standard data protection clauses adopted by the Commission; (iv) standard data protection clauses adopted by a supervisory authority and approved by the Commission; (v) a code of conduct; or (vi) certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.
3) In the absence of the adequacy decisions and the appropriate safeguards for the transfer of personal data, it is possible to carry out the international transfer to a third country or international organisation (without the AEPD’s authorisation) in the event that: (i) the data subject has explicitly consented to the proposed transfer; (ii) the transfer is necessary for the performance of a contract between the data subject and the controller for the implementation of pre-contractual measures; (iii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person on behalf of the data subject; (iv) the transfer is necessary for important reasons of public interest; (v) the transfer is necessary for the establishment, exercise or defence of legal claims; (vi) it is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent, and (vii) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation. All of them are covered
As we advanced, and it is shown in the outline above, the main change introduced by the GDPR is the removal of authorisations by the supervisory authority, making the process of international transfer of personal data simpler and more comfortable. In fact, authorisations are reduced to the residual cases provided for in article 46.3 of GDPR, namely: (i) (non-standard) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, and (ii) provisions to be inserted into administrative arrangements between public authorities or bodies
At Belzuz Abogados, S.L.P. Commercial Law Department, being specialists of the Personal data protection field, we can advise on and help channelling international transfer of personal data that is necessary to carry out in order to draft agreements and other appropriate safeguards, as well as requesting authorisations from the AEPD, if necessary.
Belzuz Abogados SLP
La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.