This procedure is intended to be used when putting in place a new arrangement for the transfer of personal data to a country outside of the European Union or to an international organisation. It may also be used when validating whether existing arrangements meet the requirements of the General Data Protection Regulation (GDPR).
An international organisation is defined by the GDPR as “an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR Article 4).
Webrov Group OÜ (hereinafter the Company) realizes and understands that the intention of the GDPR is to protect the personal data of data subjects wherever they are held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the GDPR are significant and the Company takes care to ensure that the Company remains within the law at all times.
This procedure applies where, in accordance with the GDPR, the Company acting as a data controller or data processor, wishes to transfer personal it collects and/or processes to third countries or international organizations outside of the EU for processing.
This procedure should be considered in conjunction with other documents developed by the Company.
Determine the destination country or countries
In order to establish whether a transfer of personal data is legal under the GDPR, the destination country or countries must be firmly established, along with any other countries that will receive an onward transfer of the personal data as part of the arrangement.
Establish whether an adequacy decision applies
Once a clear understanding of the destination country or countries of the personal data has been established, the list of countries and international organizations for which an adequacy decision applies must be consulted. This list is published in the Official Journal of the European Union and on the European Commission website (ec.europa.eu).
The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. Herewith, this information is a subject to change from time to time.
An adequacy decision means that the European Commission considers the level of protection for personal data in that country to be acceptable and therefore transfers do not require any additional legal safeguards to be put in place. Adequacy decisions are regularly reviewed, at least every four years and can be repealed in the event that the European Commission no longer considers that the country in question meets their requirements for protection of personal data.
A special case in this area is that of the EU-US Privacy Shield which covers transfers of the personal data of EU citizens to the USA. US organizations that sign up to the Privacy Shield may store and process such personal data as long as they meet strict safeguards that are equivalent to the requirements of the GDPR. Personal data may effectively be transferred to such US organizations as if an adequacy decision applied.
Taking this into account, the Company should make sure the companies the personal data are being transferred to are signed up to the Privacy Shield.
Implement appropriate safeguards
In the event that the country or one or more of the countries to which personal data is to be transferred is not subject to an adequacy decision from the European Commission, appropriate safeguards must be put in place to provide for data subjects’ rights and enforceable legal remedies.
There are a number of ways in which the GDPR allows for these safeguards to be provided. These are:
- between public authorities or bodies only, via a legally binding agreement which is capable of being enforced;
- using binding corporate rules;
- using standard data protection clauses adopted either by the European Commission or the relevant supervisory authority;
- via an approved code of conduct;
- via a certification scheme.
The status of some of the above safeguards may change over time, as the GDPR becomes more mature and further guidance is issued both by the European Commission and the individual supervisory authorities.
The most appropriate method of providing protection for the rights of data subjects whose data will be transferred should be chosen and incorporated into the contractual clauses of the relevant agreement.
Other acceptable conditions for transfers of personal data
In the event that an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, the Company makes an international transfer of personal data if one of the following situations applies:
- the data subject explicitly consents to the transfer, having been informed of the risks;
- the transfer is necessary to meet contractual commitments to the data subject or the data subject asks for the transfer prior to contract;
- the transfer is in the data subject’s interests with regard to a contract;
- it is for important reasons of public interest (recognised by law);
- the transfer is to do with a legal claim;
- the data subject’s vital interests are protected by the transfer or if they are unable to consent;
- the transfer is made from a public register.
The specifics of each of these conditions must be reviewed by the Company directly from the GDPR Article 49 (“Derogations for specific situations”) before basing a transfer on them.
Generally, when transferring personal data to third countries or international organisations outside of the EU the company, the Company checks that there is an adequate level of protection established by one of the followings:
- the country, or industry sector within that country, of the recipient is on the EU approved list of countries as set out in the Official Journal of the European Union;
- the country of the recipient has adequate data protection controls established by legal or self-regulatory regime;
- the Company has a contract in place that uses existing or approved data protection clauses to ensure adequate protection;
- the Company is making the transfer under approved binding corporate rules;
- the Company is relying on approved codes of conduct or certification mechanisms, together with binding and enforceable commitments in the third country or international organisation to apply the appropriate safeguards in relation to data subject rights.
Once the legal basis of the transfer of personal data has been established and approved, the mechanics of achieving the transfer should be addressed. These will vary according to factors such as the type and volume of data involved, the destination and the technology used.
The Company must take care to ensure that the safeguards that have been agreed to as part of the setting up of the transfer are adhered to and that evidence of their use is maintained for future audit purposes.
The website of the European Commission and the relevant supervisory authority should be monitored so that any changes that affect the legality or performance of the transfer are identified and acted upon.
The Company has developed all internal documents to define roles among staff concerning the personal data processing within the Company, in particular responsible for approving and reviewing the legitimacy of this document is Management board member.