Transfers to third countries
Controllers and processors must comply with the conditions set out in the GDPR to ensure that the level of protection guaranteed by the GDPR is not undermined. Transfers must not take place unless they are in full compliance with the GDPR.
The controller or processor must document the safeguards put in place as part of the accountability requirements.
The conditions for transfers
Transfers with an adequacy decision
Transfers to countries or international organisations with an adequacy decision from the EU do not require specific authorisation by a supervisory authority.
The existing adequacy decisions, including that of the Isle of Man, will remain valid until they are amended, replaced or repealed by the EU Commission. A review of the existing decision is anticipated shortly after the GDPR becomes enforceable at which time the adequacy of compliance with the GDPR (not the old Directive) will be assessed. This timescale is supported by the Opinion of Article 29 Data Protection Working Party on the adequacy of the protection for personal data in the proposed EU-US Privacy Shield.
However, as a result of the Schrems judgment in October 2015, controllers or processors transferring personal data to an existing adequate third country must still consider whether, in their view, the third country does, in fact, provide an appropriate level of protection for the particular data transfer.
When the GDPR comes into force, this will become an even more important consideration for controllers or processors transferring personal data to the Island. They must be satisfied that equivalent protection to that which is required under the GDPR, not the existing Directive, is guaranteed as the higher bracket of administrative fines for non-compliance could be imposed.
Transfers by way of appropriate safeguards
Where no adequacy decision has been made transfers can be made only if the controller or processor has “adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.
Specific authorisation by a supervisory authority is not required if appropriate safeguards are met. Such safeguards must include compliance with the general principles relating to processing, the principles of data protection by design and by default.
The following safeguards are specified:
- Legally binding and enforceable instrument between public authorities or bodies with corresponding duties or functions
- Binding corporate rules
- Adoption of the Commission’s standard data protection clauses (or those of an EU supervisory authority approved by the Commission)
- An approved code of conduct or certification, together with binding and enforceable commitments to apply those safeguards, including the rights, is followed.
Transfers by way of binding corporate rules
Binding corporate rules (BCRs) can be approved by EU supervisory authorities once the GDPR is in force. Details about the specifications and requirements of BCRs are set out in Article 43.
If the transfer does not meet any of the conditions it can still take place if one of the following circumstances applies (* not applicable to public authorities in exercise of their public powers):
- Explicit consent has been given to the proposed transfer by the data subject after having been informed of the associated risks *
- For the performance of a contract between the data subject and controller, or the implementation of pre-contractual measures taken at the data subject’s request *;
- For the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person *;
- For important reasons of a public interest recognised in law;
- For the establishment, exercise or defence of legal claims;
- In order to protect the vital interest of the data subject or other persons where the data subject is physically or legally incapable of giving consent.
In any other case* a transfer can only take place if it:
- Is not repetitive; and
- Concerns only a limited number of data subject; and
- Is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the rights and freedoms of the data subjects; and
- The controller has adduced suitable safeguards
The controller must document the assessment undertaken as well as the safeguards implemented in the records of processing activities as part of the accountability obligations and provide details about the transfer and the compelling legitimate interests to the data subject and the supervisory authority.
Transfers or disclosures ordered by a third country
Any judgment of a court, tribunal or administrative authority of a third country ordering a disclosure or transfer of personal data to that third country may only be recognised or enforceable if there is an international agreement (for example a legal assistance treaty) in place between the third country and the Union or Member State.