This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

I. Transfer of personal data from EU to third countries

A transfer of personal data to another country constitutes data processing so the EU National Data Protection Authority of the Member State (MS) must be notified where the transfer is being done, in the same way as other processing operations. No restrictions or other formalities apply in relation to transfer of personal data to:

  1. European Union (EU) Member States (MS);
  2. Member countries of the European Economic Area (EEA);
  3. Third countries (i.e. countries that are not Member States of the European Union) which are from time to time recognized by the EU Commission to have an adequate level of protection; and
  4. Organisations complying with the US Department of Commerce’s Safe Harbour Privacy Principles.

i. The Council and the European Parliament have given the Commission the power to decide, on the basis of Article 25(6) of directive 95/46/EC, whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.:

The Decision is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguards being necessary.

The Commission has so far recognized Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, the US Department of Commerce’s Safe Harbour Privacy Principles, and the transfer of Air Passenger Name Record to the United States’ Bureau of Customs and Border Protection as providing adequate protection.

ii. The organizations on this list have notified the Department of Commerce that they adhere to the U.S.-EU Safe Harbor Framework developed by the Department of Commerce in coordination with the European Commission. The U.S.-EU Safe Harbor Framework provides guidance for U.S. organizations on how to provide adequate protection for personal data from the EU as required by the European Union’s Directive on Data Protection.

If interested in an organization that you are doing business with or considering doing business with, you could check out the list here: https://safeharbor.export.gov/list.aspx.

II. Principles

The Article 25, Directive 95/46/EC set forward the principles for data transfer from the European Union (EU) to third countries:

1. The EU Member State (MS), from where the personal data is transferred, should ensure that the third country that receives the personal data, provides an adequate level of protection for that personal data while being processed or when it will be processed outside EEA. An adequate level of protection refers to the same level of protection the EU has in place with regards to the processing of personal data (e.g. legislation as strong as the Directive 95/46/EC).

2. In order to determine if the level of protection is adequate or not, there should be an assessment of the circumstances for a data transfer operation, the nature of the data, the purpose and duration of the processing operation, the country of origin and country of final destination, the data protection/privacy legal framework (both general and sectoral) enforced in the third country in question and the professional rules and security measures that country complies with.

3. The MS and the EU Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of the previous paragraph.

4. Where the Commission finds that a third country does not ensure an adequate level of protection within the meaning of paragraph 2, the MS should take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. Subsequently, the Commission should enter negotiations with that third country, to try to remedy the situation and find a common solution, either to stop the data transfer or to help enable the third country to offer an adequate level of protection (e.g. data transfer mechanisms).

6. The Commission can decide if a third country ensures an adequate level of protection by considering its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in the previous paragraph, for the protection of the private lives and basic freedoms and rights of individuals.

MS has to take the measures necessary to comply with the Commission’s decision.

III. Derogations

Article 26, Directive 95/46/EC provides that:

1. By way of derogation from Article 25, Directive 95/46/EC, Member States have to provide that a transfer of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

(a) The data subject has given his consent unambiguously to the proposed transfer; or

(b) The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request; or

(c) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

(d) The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

(e) The transfer is necessary in order to protect the vital interests of the data subject; or

(f) The transfer is made from a register which, according to laws or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

2. Without prejudice to the previous paragraph, a MS may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection, where the controller provides adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with regards to the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The MS has to inform the Commission and the other Member States of the authorizations it grants based on the safeguards (e.g. contractual clauses).

If a MS or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, then the Commission has to take appropriate measures to protect the individual rights and freedoms with regards to the protection of their personal data.

MS have to take the necessary measures to comply with the Commission’s decision.

4. Where the Commission decides that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, MS shall take the necessary measures to comply with the Commission’s decision.

IV. Personal data transfer mechanisms

1. Standard Contractual Clauses

The use of standard contractual clauses is recommended in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection.

According to the COMMISSION DECISION of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, the standard contractual clauses are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Article 26(2) of Directive 95/46/EC.

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organization:

Address:

Tel., Fax, Email:

Other information needed to identify the organization (the data exporter):

And

Name of the data importing organization:

Address:

Tel., Fax, Email:

Other information needed to identify the organization:

(the data importer)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to promptly inform the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorized access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter, to submit its data-processing facilities for audit of the processing activities covered by the Clauses, which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor, is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor which has the same scope, and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case, the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely:

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (1). Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely:

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): …….

Position: …..

Address: …….

Other information necessary in order for the contract to be binding (if any): (stamp of organization)

Signature: ……………..

On behalf of the data importer:

Name (written out in full): …….

Position: …………..

Address: ………….

Other information necessary in order for the contract to be binding (if any): (stamp of organization)

Signature: ………………………………………………..

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly activities relevant to the transfer):……..

Data importer

The data importer is (please specify briefly activities relevant to the transfer):………..

Data subjects

The personal data transferred concern the following categories of data subjects (please specify): …………………

Categories of data

The personal data transferred concern the following categories of data (please specify):…

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): ………………………

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): ……………

DATA EXPORTER

Name: ……………………………………………………..

Authorized Signature: ……………………………..

DATA IMPORTER

Name: ………………………………………………

Authorized Signature: ………………………….

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): ……………………………..

2. Binding Corporate Rules

Binding corporate rules (BCRs) are internal rules such as a Code of Conduct that can be used by multinational companies to ensure that they are providing an adequate level of protection for the intra-group transfers of personal data from a country in the EU or the European Economic Area (EEA) to a third country.

The use of BCRs requires, in principle, the approval of each of the EU or EEA National Data Protection Authorities from whose country the data are to be transferred.

BCR provides a sufficient level of protection to companies to get authorization of transfers by national data protection authorities (“DPA”).

BCR’s applicability is different than the Standard Contractual Clauses as the BCR do not provide a basis for transfers made outside the group.

Art. 29 Working Party (The Working Party on the Protection of Individuals with regard to the Processing of Personal Data that has an advisory status and acts independently and examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures), provides a framework for BCR, which are not to be considered the official standard model of BCR.

This framework ensures that the requirements of the Directive 95/46/EC are met by those multinational organizations when processing data outside EU or EEA:

i. Scope

A description of the scope of the BCR’s application and especially:

- That they will apply to intra-group transfers and processing.

- The geographical scope (only data processed in the EU and transferred outside of the EU or all data).

- The material scope (e.g. type of processing: automated/manual, nature of data: customer/HR/suppliers).

A general description of the data flows and the purposes of the processing including:

- The nature of the data transferred,

- The purposes of the transfer/processing,

- The data importers/exporters in the EU and outside of the EU5

ii. Definitions

A description of the main terms and their definitions:

- The main definitions (personal data, sensitive personal data, data subject, controller, processor, processing, third party, Data Protection Authorities),

- Other relevant definitions might be inserted in a glossary, such as data exporter, data importer, EU headquarters/EU Member with delegated responsibilities, members of the group, privacy officer/function.

- A commitment to interpret the terms in the BCRs according to the EU Directives95/46/EC and 2002/58/EC.

iii. Purpose limitation

A description of the purposes for which the data are processed and transferred and confirmation that :

- Personal data will be transferred and processed for specific and legitimate purposes.

- Personal data will not be further processed in a way incompatible with those purposes.

- Sensitive Data will be provided with additional safeguards such as provided by the EU

Directive 95/46/EC.

iv. Data quality and proportionality

A commitment that:

- Personal data must be accurate and where necessary, kept up-to-date.

- Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

- Personal data should not be processed for longer than necessary for the purposes for which they are obtained and further processed.

v. Legal basis for processing

A commitment that:

- Personal data must be accurate and where necessary, kept up-to-date.

- Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

- Personal data should not be processed for longer than necessary for the purposes for which they are obtained and further processed.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

vi. Legal basis for processing sensitive data

Processing of sensitive data is prohibited expect if:

- The data subject has given his explicit consent to the processing of those sensitive data, except where the applicable laws prohibit it; or

- The processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or

- The processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or

- The processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or

- The processing relates to sensitive data which are manifestly made public by the data subject; or

- The processing of sensitive data is necessary for the establishment, exercise or defense of legal claims; or

- The processing of the sensitive data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those sensitive data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

vii. Transparency and information right

A commitment to make the BCR readily available to every data subject.

Moreover, your BCRs shall describe the way the data subject is informed of the transfer and processing of their personal data.

A commitment that before their data is processed data subjects will be given the following information:

- The identity of the controller(s) and of his representative, if any;

- The purposes of the processing for which the data are intended;

- Any further information such as:

i) the recipients or categories of recipients of the data,

ii) the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

Where the data have not been obtained from the data subject, the obligation to inform the data subject does not apply if the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law.

viii. Rights of access, blocking, erasure, rectifications of data

A commitment that:

- Every data subject has the right to obtain without constraint at reasonable intervals and without excessive delay or expense a copy of all data relating to them that are processed. Every data subject has the right to obtain the rectification, erasure or blocking of data in particular because the data are incomplete or inaccurate.

- Every data subject has the right to object, at any time on compelling legitimate grounds relating to their particular situation, to the processing of their personal data, unless that processing is required by law. Where the objection is justified, the processing must cease.

- Every data subject has the right to object, on request and free of charge, to the processing of personal data relating to him for the purposes of direct marketing.

An explanation of how the data subjects can get access to their personal data.

ix. Automated individual decisions

A commitment that no evaluation of or decision about the data subject which significantly affects them will be based solely on automated processing of their data unless that decision:

- is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or

- is authorized by a law which also lays down measures to safeguard the data subject’s legitimate interests.

x. Security and confidentiality

A commitment that appropriate technical and organizational measures to protect personal data have been implemented against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

In this regard, sensitive data should be processed with enhanced security measures.

xi. Relationships with processors that are member of the same group

An explanation of how personal data are protected when using a processor who is a member of the group. In particular a requirement that:

- The controller must choose a processor providing sufficient guarantees with respect to the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

- The controller shall instruct the processor by written contractual means in accordance with the applicable law and this contract will, among others, stipulate:

i) That the processor shall act only on instructions from the controller;

ii) The rules relating to the security and confidentiality to be incumbent on the processor.

xii. Restrictions on transfers and onward transfers to external processors and controllers (not members of the group)

An explanation of the measures in place to restrict transfers and onward transfers outside of the group and a commitment that:

- External processors located inside the EU or in a country recognized by the EU Commission as ensuring an adequate level of protection shall be bound by a written agreement stipulating that the processor shall act only on instructions from the controller and shall be responsible for the implementation of the adequate security and confidentiality measures.

- All transfers of data to external controllers located out of the EU must respect the European rules on transborder data flows (Articles 25-26 of Directive 95/46/EC: for instance making use of the EU Standard Contractual Clauses approved by the EU Commission 2001/497/EC or 2004/915/EC or by other adequate contractual means according to Articles 25 and 26 of the EU Directive).

- All transfers of data to external processors located out of the EU must respect the rules relating to the processors (Articles 16-17 Directive 95/45/EC) in addition to the rules on transborder data flows (Articles 25-26 of Directive 95/46/EC).

xiii. Training programs

A commitment to provide appropriate training on the BCRs to personnel who have permanent or regular access to personal data, are involved in the collection of personal data or in the development of tools used to process personal data.

xiv. Audit program

A commitment to audit the group’s compliance with the BCRs and in particular that:

- The audit program covers all aspects of the BCRs including methods of ensuring that corrective actions will take place.

- Such audit must be carried out on a regular basis (specify the time) by the internal or external accredited audit team or on specific request from the privacy officer/function (or any other competent function in the organization)

- The results of all audits should be communicated to the privacy officer/function (or any other competent function in the organization) and to the board of management.

- The Data Protection Authorities can receive a copy of such audits upon request.

- The audit plan should allow the Data Protection Authorities to have the power to carry out a data protection audit if required.

- Each Member of the group shall accept that they could be audited by the Data Protection Authorities and that they will abide by the advice of the Data Protection

Authorities on any issue related to those rules.

xv. Compliance and supervision compliance

A commitment to appoint appropriate staff (such as a network of privacy officers) with top management support to oversee and ensure compliance with the rules.

A brief description of the internal structure, role and responsibilities of the network or privacy officers or similar function created to ensure compliance with the rules. For example, that the chief privacy officer advises the board of management, deals with Data Protection Authorities’ investigations, annually reports on compliance, ensures compliance at a global level and that privacy officers can be responsible for handling local complains from data subjects, reporting major privacy issues to the chief privacy officer and for ensuring compliance at a local level.

xvi. Actions in case of national laws preventing respect of BCRs

A clear commitment that where a member of the group has reasons to believe that the legislation applicable to him prevents the company from fulfilling its obligations under the BCRs and has substantial effect on the guarantees provided by the rules, he will promptly inform the EU headquarters or the EU member with delegated data protection responsibilities or the other relevant privacy function (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).

In addition, a commitment that where there is conflict between national law and the commitments in the BCR and the EU headquarters, the EU member with delegated data protection responsibilities or the other relevant Privacy Function will take a responsible decision on what action to take and will consult the competent Data Protection Authorities in case of doubt.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

xvii. Internal complaints mechanisms

A commitment to put in place a complaint handling process where:

- Any data subject may complain that any member of the group is not complying with the BCRs.

- The complaints will be dealt by a clearly identified department/person which must benefit from an appropriate level of independence in the exercise of his/her functions.

xviii. Third party beneficiary rights

A clear statement that the BCRs grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation (see articles 22 and 23 of the EU Directive).

A statement that the data subjects can choose to lodge claims before:

- The jurisdiction of the data exporter located in the EU, or

- The jurisdiction of the EU headquarters/the EU Member with delegated responsibilities,

or

- Before the competent Data Protection Authorities.

A commitment that all data subjects beneficiating from the third party beneficiary rights should also have easy access to this clause.

xix. Liability

A commitment that:

- Either EU headquarters or the EU Member with delegated responsibilities accept responsibility for and agree to take the necessary action to remedy the acts of other Members of the corporate group outside of the EU and to pay compensation for any damages resulting from the violation of the BCRs by the members of the group.

- The burden of proof stays with either the EU headquarters or the EU Member with delegated responsibilities to demonstrate that the member outside the EU is not liable for the violation resulting in the damages claimed by the data subject.

If the EU headquarters or the EU Member with delegated responsibilities can prove that the member outside the EU is not liable for the violation, it may discharge itself from any responsibility.

x. Mutual assistance and cooperation with Data Protection Authorities

A commitment that:

- Members of the group shall cooperate and assist each other to handle a request or complaint from an individual or an investigation or inquiry by Data Protection Authorities.

- Entities will abide by the advice of the Data Protection Authorities on any issues regarding the interpretation of the BCRs.

xi. Updates of the rules

A commitment to report any significant changes to the BCRs or to the list of members to all group members and to the Data Protection Authorities to take into account modifications of the regulatory environment and the company structure and more precisely that:

- Some modifications might require a new authorization from the Data Protection Authorities.

- Updates to the BCRs or to the list of the Members of the group bound by the BCRs are possible without having to re-apply for an authorization providing that:

i) An identified person keeps a fully updated list of the members of the BCRs and keeps track of and records any updates to the rules and provides the necessary information to the data subjects or Data Protection Authorities upon request.

ii) No transfer is made to a new member until the new member is effectively bound by the BCRs and can deliver compliance.

iii) Any changes to the BCRs or to the list of Members should be reported once a year to the Data Protection Authorities granting the authorizations with a brief explanation of the reasons justifying the update.

A commitment that substantial modifications to the rules will also be communicated to the data subjects.

xii. Relationship between national laws and the BCRs

An explanation that:

- Where the local legislation, for instance EU legislation, requires a higher level of protection for personal data, it will take precedence over the BCRs.

- In any event data shall be processed in accordance to the applicable law as provided by the Article 4 of the Directive 95/46/EC and the relevant local legislation.

xiii. Final provisions

- Effective date

- Transitional period

Documentation to be provided to the DPAs

- Standard Application Form WP133. Click here:

- Any documentation that may show that commitments in the BCRs are being respected, for instance:

- Privacy policies per processing (e.g. Customer Privacy Policy, HR Privacy Policy) to inform data subjects (e.g. customers, employees) about the way the

Company protects their personal data

- Guidelines for employees having access to personal data so that they can easily understand and apply the rules prescribed into the BCRs (e.g. guidelines on how to respond to a complaint from a data subject, on how to provide information to data subjects, on appropriate security/confidentiality measures to be observed)

- Data protection audit plan and program defined with relevant persons (internal/external accredited auditors of the company)

- Examples and/or explanation of the training program

- Documentation showing that the member that is at the origin of the transfer of data outside of the EU and either the EU headquarters or the EU Member with delegated responsibilities has sufficient assets to enable payment of compensation for damages resulting from the breach of the BCRs.

- Description of the internal complaint system

- List of entities bound by the BCRs

- Security policy for IT systems processing EU personal data

- Certification process to make sure that all new IT applications processing EU data are BCRs compliant

Any standard contracts to be used with data processors (member or non member of the Group) processing EU data

- Job description of data protection officers or other persons in charge of data protection in the Company.

3. Safe Harbor Agreement

According to the Commission Decision 2000/520EC with regards to the Directive 95/46/EC provisions, the EU Member States have to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer.

The “Safe Harbor Privacy Principles” issued by the US Department of Commerce on 21 July 2000, are considered to ensure an adequate level of protection for personal data transferred from the Community to organizations established in the United States, having regard to the following documents issued by the US Department of Commerce:

(a) the safe harbor enforcement overview;

(b) a memorandum on damages for breaches of privacy and explicit authorizations in US law;

(c) a letter from the Federal Trade Commission;

(d) a letter from the US Department of Transportation .

The Commission’s Decision requires that the following conditions shall be met in relation to each transfer of data:

(a) the organization receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs; and

(b) the organization is subject to the statutory powers of a government body in the United States, which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs.

FAQs could be accessed here.

i. Safe Harbor Principles, as outlined in the Commission Decision 2000/520EC

1. NOTICE

Individuals must be informed by organizations about:

- the purposes for which their personal information is collected and used,

- to whom their personal information may be disclosed,

- how to contact the organization with any inquiries or complaints

- how the organization limits the use and disclosure of their private information.

The Notice should be provided in plain language to the individuals before the collection and use of data starts or if after, before the use of data which is not consistent with the collection purpose.

2. CHOICE

An organization must:

- offer individuals the opportunity to opt out whether their personal information is

(a) to be disclosed to a third party;

(b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected.

For sensitive information (i.e. medical or health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), individuals must be:

-given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected.

3. ONWARD TRANSFER

To disclose information to a third party, organizations must apply the Notice and Choice Principles.

The transfer of private information to a third party could take place if:

- the third party subscribes to the Principles or is subject to the Directive 95/46/EC in order to ensure the same level of privacy protection as is required;

- if the organization complies with these requirements, it should not be responsible if the third party processes it in a way contrary to any restrictions or representations, unless the organization knows this.

4. SECURITY

Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. DATA INTEGRITY

Consistent with the Principles (which are similar to the Directive 95/46/EC), personal information must:

- be relevant for the purposes, for which it is to be used,

- an organization should not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual,

- an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

6. ACCESS

Individuals must have access to personal information about them that an organization holds and be able to

- correct,

- amend,

- delete that information,

where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

7. ENFORCEMENT

Effective privacy protection must include:

- mechanisms for assuring compliance with the Principles,

- recourse for individuals to whom the data relate affected by non-compliance with the Principles,

- consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include:

(a) easily available and affordable independent recourse mechanisms by which each individual’s complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide;

(b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented;

(c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

V. Conclusions

Considering the legal requirements of the Directive 95/46/EC, Article 25
the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Standard Contractual Clauses – for single Organizations or entities

-Binding Corporate Rules – for multinational Organizations or entities

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

To conclude, this Article provides Organizations or entities with all the available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.