2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS

Transcription

1 INTERNATIONAL DATA TRANSFERS AND CODES OF CONDUCT Ana María Martínez Bermejo Spanish Data Protection Agency 1. INTERNATIONAL DATA TRANSFERS 2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS 3. CODES OF CONDUCT 1

2 1. INTERNATIONAL DATA TRANSFERS GLOBALIZATION The internet and new technologies Centralization of processes and activities Shared Technological resources Lower costs Resources distribution (scale economies) Service provider guaranty 2

3 GLOBALIZATION TRANSBOUNDARY COMMUNICATION OF DATA FLOWS Personal data: company asset Data protection: fundamental right BALANCE Business Interests individual rights MAIN ACTIVITIES INVOLVING INTERNATIONAL DATA TRANSFERS Customer call centers Online marketing Management and technical support of the data base of customers, providers, etc International projects in the framework of multinational companies Global policy group Centralization of Human resources management Administrative work services Better quality of services and accuracy under a global iniciative. 3

4 INTERNATIONAL DATA TRANSFERS Data protection safeguards International data transfer Data processing in the country of origin: safeguards of the exporter Goal: to ensure an adequate level of protection in the area of the International data transfer (exporter- importer) Protection mechanisms in the destination country Safeguards for the exercise of the individual rights Data protection authority Avoid onwards transfers of data to other countries Safeguards to be provided by the importer of the data Importer-exporter contractual clauses Liability Restrictions on onward transfers Security measures and supervision DEFINITIONS International Personal Data Transfer Data processing that implies their transmission outside the territory of the European Economic Area, whether as an assignment or data disclosure, or for the purpose of data processing on behalf of the data controller established in a State Member territory Transmission inside the territory of the European Economic Area = data disclosure Member States of the EEA: Member States of the EU + Norway, Iceland and Liechtenstein 4

5 DEFINITIONS Data Exporter The natural person or legal entity, public or private situated in a Member State, who carries out a transfer of personal data to a third country Data Importer The natural person or legal entity, public or private who received the data in the event of their international transfer to a third country, whether is a data controller or data processor Data Subject The natural person to whom the data undergoing processing pertain EUROPE LEGAL FRAMEWORK - Convention 108 of the European Council (Art 12) - European Union Directive on Data Protection 95/46 EC (Arts. 25 and 26) - Decisions of the European Commission REGULATIONS OF THE MEMBER STATES SPAIN Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) - Articles Royal Decree 1720/2007 of 21 December, which approves the regulation implementing LOPD (RLOPD) - Title VI. International data transfers. Arts Title IX. Chapter V. Procedures regarding international data transfer Arts

6 INTERNACIONAL PERSONAL DATA TRANSFERS THIRD COUNTRIES WICH DON T PROVIDE ADEQUATE LEVEL OF PROTECTION EXCEPTIONS ART 26.1 D95/46 EC STANDARD CONTRACTUAL CLAUSES/ BCRs THIRD COUNTRIES WITH ADEQUATE LEVEL OF PROTECTION ARGENTINA SWITZERLAND INTERNATIONAL DATA TRANSFERS TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION (SAFEGUARDS) 6

7 THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION Art. 25 Directive 95/46 EC Member States of EU Member States of the EEA (Norway, Iceland, Liechtenstein) European Commission Adequacy Decision -Switzerland, Argentina, Guernsey, Man Island, Faroe Island, Jersey, Andorra, Israel, Uruguay -Canada (Personal Information and Electronic Documents Act) and USA (Safe Harbour) Member State Adequacy Decision THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.1 Directive 95/46 EC The transfer may take place when: The data subject has given his consent The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject s request The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party 7

8 The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims The transfer is necessary in order to protect vital interests of the data subject The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.2 Directive 95/46 EC Standard Contractual Clauses from controller/exporter to controller/importer - European Commission Decision 2001/497EC - European Commission Decision 2004/915 EC Standard Contractual Clauses from controller/exporter to processor/ importer - European Commission Decision 2010/87 EC Standard Contractual Clauses from processor/exporter to sub-processor/importer (Spanish Data Protection Agency) 8

9 STANDARD CONTRACTUAL CLAUSES FROM PROCESSOR/EXPORTER TO SUB-PROCESSOR/IMPORTER (Spanish Data Protection Agency) Controller The client of the Data Exporter Data exporter The individual or legal entity, public or private, or administrative entity located in Spanish territory that realises a personal data transfer to a third country, acting as data processor Data importer The sub-processor who agrees on receiving from the data exporter personal data for further processing on his account, according with his instructions, the established in the framework contract and the terms of the clauses, and not subject to the system of a third country to ensure the adequate protection within the meaning of the Directive 95/46 EC 9

10 Sub-processor Any processor engaged by the data importer or by any other sub-processor who agrees to receive from the data importer or from any other sub-processor thereof, personal data exclusively for subsequent processing activities that could be done on behalf of the data exporter, in accordance with his instructions with the established on the framework contract, the terms of clauses and the terms STANDARD CONTRACTUAL CLAUSES FROM PROCESSOR/EXPORTER TO SUB-PROCESSOR/IMPORTER Decission 2010/87/UE (Recital 23) Contractual framework that comprises two agreements Controller-processor agreement: Agreement for processor/exporter-subprocessor in a third country. 10

11 Controller/Processor Agreement Signed on a case-by-case basis by the controller(customer) Reference to contractual safeguards authorised for IDTs. Safeguards. - Applicable law: Law of the controller - Authorisation for subcontracting Agreement for processor/exporter-subprocessor in a third country. Data processor: Exporter authorised by the SPDA. The controller is not a party to the agreement Authorises IDTs, including future IDTs (general contracts terms and conditions): - Potential controllers/customers - New authorisations unnecessary. 11

12 Decision 2010/87/UE safeguards adapted: - Applicable law: Law of the Exporter - Information on subsequent sub-processors - Third-party beneficiary clause - Cooperation with the SDPA EEA Third countries Controller Subprocessor Data importer Controller Controller Processor Data exporter Subprocessor Data importer Subprocessor Data importer SLA Data Controller Notification PROCEDURE OF NOTIFICATION AND AUTHORISATION OF INTERNATIONAL DATA TRANSFERS CC Processor - Subprocessor Authorisation of the SDPA Director 12

13 THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF PROTECTION Art 26.2 Directive 95/46 EC BINDING CORPORATE RULES Tailor-made solution for multinational corporate groups to ensure an adequate level of protection in order to transfer personal data out of the EEA Binding or legally enforceable Corporate in the sense that consist of the rules in place in multinational companies, usually set up under the responsibility of the headquarters For international data transfers as the main reason for their existence BCRs Regulation: Working Group art 29 WP12 (24 July 1998) Working Document Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive WP74 (3 June 2003) Working Document on Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers WP107 (14 April 2005) Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From Binding Corporate Rules WP108 (14 April 2005) Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules WP153 (24 June 2008) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules WP154 (24 June 2008) Working Document Setting up a framework for the structure of Binding Corporate Rules WP155 (24 June 2008) Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules (As last Revised and adopted on 8 April 2009) WP 195 (6 June 2018) Working Document Setting up a table with the elements and principles to be found in Processor Binding Corporate Rules 13

14 THE BINDING NATURE INTERNALLY Binding on the members of the group Binding on the employees EXTERNALLY Enforceability by the data subjects Enforceability by the data protection authorities INTERNATIONAL DATA TRANSFERS IN THE PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION the transfers may take place: Binding corporate rules Standard Data Protection Clauses adopted by the Commission Standard Data Protection Clauses adopted by a Supervisory Authority Contractual Clauses between the controller or processor and the recipient of the data authorised by a Supervisory Authority Where the conditions mentioned in the regulation would take place. 14

15 2. TASKS OF DATA PROTECTION OFFICERS IN INTERNATIONAL DATA TRANSFERS KEEP AND MAINTAIN A REGISTER OF PROCESSING OPERATIONS CARRIED OUT BY THE CONTROLLER ART 18.2 Directive 95/46 EC ART 18.a) Croatian Data Protection Act (CDPA) ART Croatian Data Protection Act (CDPA) The register must contain some information: THE COUNTRY WHERE THE DATA HAVE BEEN TRANSFERRED FOREIGN USER OF SUCH PERSONAL DATA THE PURPOSE OF THIS TRANSFER 15

16 INFORM AND ADVISE THE CONTROLLER ABOUT HIS OBLIGATIONS IN INTERNATIONAL DATA TRANSFERS INFORM DATA SUBJECT (with any exception foreseen by law) Art Directive 95/46 EC SENSITIVE DATA OBTAIN THE CONSENT OF THE DATA SUBJECT (with any exception foreseen by law) Art.7 Directive 95/46 EC CONTRACT BINDING THE PROCESSOR TO THE CONTROLLER: International Data transfers from controller to processor Art.17.3 Directive 95/46 EC_ Decision 2010/87 EC SAFEGUARDS Standard Contractual Clauses - Applicable data protection law: law of the controller - Security measures and supervision - Third-party beneficiary clause - Liability - Restrictions on onward transfers - Cooperation with Supervisory Authorities 16

17 SAFEGUARDS BCRs -Privacy Principles: transparency, purpose limitation, data quality -Security measures -Individual s rights of access, rectification and objection to processing -Restrictions on onward transfers ENSURE THAT DATA SUBJECTS ARE INFORMED OF THEIR RIGHTS RIGHT OF ACCESS, RECTIFICATION, CANCEL AND OBJECTION Arts. 12,13,14 Directive 95/46 EC RIGHT TO LODGE A COMPLAINT Art. 22 Directive 95/46 EC - BEFORE THE DATA PROTECTION AUTHORITIES - BEFORE THE COURT - IN BCR_ INTERNAL COMPLAINT HANDLING PROCESS CLAIM LIABILITY Art. 23 Directive 95/46 EC - Redress - Compensation 17

18 THIRD PARTY BENEFICIARY RIGHT: The contractual clauses or corporate rules grant rights to data subjects to enforce some clauses or the rules as third party beneficiaries International transfers based on Standard Contractual Clauses and BCR OBTAIN A COPY OF THE CLAUSES OR CORPORATE RULES International transfers based on Standard Contractual Clauses and BCR ENQUIRE THE PARTIES ABOUT THE PROCESSING OF THEIR DATA International transfers based on Standard Contractual Clauses and BCR COOPERATE WITH DATA PROTECTION AUTHORITIES REPLYING TO REQUEST FROM THE SUPERVISORY AUTHORITY CONSULTING WITH THE SUPERVISORY AUTHORITY ACTING AS THE CONTACT POINT FOR THE SUPERVISORY AUTHORITY ON ISSUES RELATED TO THE INTERNATIONAL DATA TRANSFER DEPOSITING A COPY OF THE CONTRACTS, UPON REQUEST OR IF REQUIRED International transfers based on Standard Contractual Clauses and BCR COOPERATING IN AUDITS 18

19 OTHER TASKS IN BCR SET-UP A NETWORK OF PRIVACY OFFICERS (WP 153,154) - FOR HANDLING COMPLAINTS - FOR OVERSEEING AND ENSURING COMPLIANCE WITH THE RULES 3. CODES OF CONDUCT 19

20 They shall contain specific rules or standards that permit the harmonisation of the data processing done by subscribers, facilitate the exercise of the rights of the data subjects and compliance of the provisions of laws DRAWN UP BY: Public or Private Controllers, representative organisations of the sector and other bodies to which they belongs By means of: Sectorial agreements, administrative agreements, company decisions The codes of conduct shall have the status of codes of ethics or good professional practice and shall be binding on subscribers The codes of conduct shall be voluntary The sectorial codes of conduct shall refer to all or part of the processing carried out by entities pertaining to the same sector, and shall be drawn up by representative organisations of the sector, at least within its territorial scope of application The codes of conduct promoted by a company shall refer to all the processing it carries out 20

21 CONTENT The codes of conduct shall include, at least, with a sufficient degree of precision: The clear and precise delimitation of its scope of application, the activities to which the code refers and the processing subject to it The specific provisions for the application of the principles of data protection The establishment of procedures facilitating the exercise by data subjects of their rights of access, rectification, erasure and objection The establishment of standards for the compliance by subscribers of obligations established in the Law The determination of the assignments and international transfers of data that, if appropriate, are planned, indicating the guarantees that must be adopted; Training actions on data protection aimed at those who process data, particularly with regard to their relationship with data subjects The mechanisms for supervision through which it guarantees compliance by subscribers of that established in the code of conduct 21

22 The code of conduct shall have attached as a schedule a list of subscribers, which shall be kept up-to-date CLAUSES for obtaining the consent of data subjects to the processing or disclosure of their data for informing data subjects of the processing, when the data is not obtained from them MODELS Models for the exercise by data subjects of their rights of access, rectification, erasure and objection Models of clauses for compliance with the applicable formal requirements for contracting a data processor, if appropriate The codes of conduct may include any other additional commitment taken on by the subscribers for better compliance with the current legislation on data protection They may also contain any other commitment established by the promoting entities and, in particular on The adoption of additional security measures to those required in the Law The identification of the categories of recipients or importers of data The specific measures adopted on the protection of minors or specific groups of data subjects The establishment of a seal of quality identifying subscribers to the code 22

23 OBLIGATIONS Maintain accessible to the public the updated information on the promoting entities, the content of the code of conduct, the procedures for subscription and guarantee of compliance and the list of subscribers to which the previous Article refers.. Such information shall be presented clearly and concisely and shall be permanently accessible by electronic means. Send to the Supervisory Authority an annual report on the activities carried out to disseminate the code of conduct and promote subscription to it, the actions for verifying compliance with the code and their results, the complaints and claims handled and the process they have undergone and any other aspect that the promoting entitys deem relevant. Periodically evaluate the effectiveness of the code of conduct, measuring the degree of satisfaction of the data subjects and, if appropriate, updating the contents to adapt it to the general or sectoral legislation on the protection of data that is in force at any time. This evaluation shall take place, at least, every four years, unless adaptation of the commitments of the code to an amendment of the applicable legislation is required earlier. Promote accessibility of all persons, paying particular attention to those with a disability or of advanced age, to the information available on the code of conduct. 23

24 Hvala lijepa 24