The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation.
To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.
What does “transfer of personal data” mean?
The GDPR does not give a precise definition of what “transfer” means. Reading the dispositions that regulate transfers of personal data (Arts. 44-50 of the GDPR), it can be inferred that by “transfer” the GDPR indicates a movement of personal data from a controller or processor of personal data inside the EU, to a controller or processor outside the EU.
The GDPR broadens the scope of application of the regulation. Firstly, it also includes those cases when personal data is transferred to an international organisation. Secondly, the GDPR requires the rules on transfer to be applied not only to “direct” data transfers from a European to a non-European country, but also to successive transfers, namely when the subject who the data have initially been transferred to, subsequently transfers them to other subjects.
What is the procedure a controller or a processor must follow when he/she wishes to transfer personal data?
The data controller or data processor may carry out a transfer of personal data, only when they fulfil one of the conditions provided for in articles 45-49 of the GDPR.
What “mechanisms” may be used?
The ”mechanisms” listed in articles 45-49, which controllers and processors may use to transfer personal data, partially cover the list of conditions already provided for by the Italian Privacy Code or produced by Working Party Art. 29. By way of example, a transfer will be legitimate in cases in which; the third country personal data are being transferred to has obtained an adequacy decision from the European Commission; it is conditional upon appropriate safeguards, such as the use of standard contractual clauses (SCCs) between sender and receiver, or, for intra-group transfers, the adoption of binding corporate rules (BCRs) by the group of enterprises; the sender fulfils one of the derogations set out in art. 49 of the GDPR (e.g. he/she has collected the data subject’s consent).
What changes with the GDPR?
On the one hand, the GDPR has made available new “instruments” for data transfers and on the other it lays out the different conditions according to a scale of importance: the adequacy decision becomes the pillar of the new system; controllers or processors will only have to adopt one of the other alternatives offered by the GDPR in its absence.
In the context of appropriate safeguards, binding corporate rules take on their own importance and are regulated in detail in art. 47 of the GDPR, which lists their minimum content. Art. 46, on the other hand, makes changes to the list of the legal grounds which can be used for a transfer, backing up SCCs and BCRs with: the adoption of a “legally binding and enforceable instrument between public authorities or bodies”; signing an approved code of conduct or subscribing to certification mechanism. Moreover, SCCs, which were formerly only valid when adopted by the European Commission, may henceforth also be adopted by a National Control Authority (provided they are then approved by the European Commission or submitted to the consistency mechanism referred to in art. 63 of the GDPR).
Finally, art. 49 specifies the other possible “derogations for specific situations”, which the sender can use in the absence of both an adequacy decision and an appropriate safeguard.
Are already adopted adequacy decisions still valid?
The GDPR specifies that the adequacy decisions adopted on the basis of directive 95/46/CE remain valid until they are modified, substituted or revoked by a European Commission decision, for example, following a periodic four year review required for all adequacy decisions. Therefore, all adequacy decisions adopted up to the present time remain valid for the moment.
Already adopted adequacy decisions may be consulted HERE.
What SCCs can currently be used?
With regard to standard contractual clauses, the European Commission has so far issued model clauses for data transfers from data controllers in the EU to data controllers established outside the EU and it has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU, which can be found HERE.
In addition, a model SCC for the transfer of data from a processor established in the EU to another processor established in a third country is currently under preparation.