Security reinforced for transfers

  • Transfer of personal data (for processing) outside of the European Economic Area EEA are permitted only under specified conditions
    • Transfer is directly permitted to third country listed as ensuring adequate level of protection without further authorisation required (see map on following slide)
    • In absence of adequacy, transfer is permitted only under 2 conditions:
      • Controller/Processor provide for Appropriate safeguards such as
        • BCR Binding Corporate Rules (approved by supervisory)
        • Standard data protection clauses (from Commission or supervisory authority)
        • Code of conduct
        • Certification
        • Contractual clauses
      • Data subject enjoy rights and remedies (enforceable and effective)
  • Notes
    • Data processors are now also subject to international transfer rules
    • A transfer is considered as such from the moment the data leaves the EU
    • Before transfer occurs, the data subject should be notified and give consent
    • Quid Safe Harbor / Privacy Shield?