You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contatto
it
Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |
In tutto il mondo
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Mondiale
Algeria
Angola
Arabia Saudita
Argentina
Australia
Austria
Azerbaigian
Bahrain
Belgio
Bielorussia
Bosnia ed Erzegovina
Botswana
Brasile
Bulgaria
Cambogia
Canada
Cile
Cina
Cipro
Colombia
Corea del Sud
Costa Rica
Croazia
Danimarca
Ecuador
Egitto
Emirati Arabi Uniti
Estonia
Etiopia
Finlandia
Flippine
Francia
Georgia
Germania
Ghana
Giappone
Grecia
Hong Kong
India
Indonesia
Irlanda
Italia
Kazakistan
Kenya
Kuwait
Lettonia
Libia
Liechtenstein
Lituania
Lussemburgo
Macedonia del Nord
Malesia
Marocco
Mauritius
Messico
Moldavia
Mongolia
Mozambico
Myanmar
Namibia
Nigeria
Norvegia
Nuova Zelanda
Oman
Paesi Bassi
Pakistan
Perù
Polonia
Portogallo
Qatar
Regno Unito
Repubblica Ceca
Romania
Serbia
Singapore
Slovacchia
Slovenia
Spagna
Sudafrica
Svezia
Svizzera
Taiwan
Tanzania
Thailandia
Tunisia
Turchia
Ucraina
Uganda
Ungheria
Uruguay
USA
Uzbekistan
Vietnam
Zambia
I nostri uffici Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(I colori appaiono al passaggio del mouse)
Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra
Cookie Policy
.
Approfondimenti
Servizi
Whistleblowing
Data Protection
Servizi legali
Servizi fiscali
Servizi multipractice
Industry
Revisione contabile
Formazione
Professionisti
Media
Rödl E-Book
RÖDL REPLAY - I NOSTRI WEBINAR
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Comunicati stampa
Comunicati operazioni
Rödl E-Book
Rödl & Partner sulla stampa online
Eventi
Su di noi
Currently selected
E-Book INTERNATIONAL VAT GUIDELINES
Uno studio internazionale
Uno studio internazionale
Le nostre sedi
Impegno sociale
Whistleblowing
Codice Etico
Modello 231
Sostenibilità
Carriera
Media
Pubblicazioni
Newsletter
Data Protection Bites
Data Protection Bites 5/2020
Sharing Personal Data with EU Companies May Become More Complicated
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
BPO - Business Process Outsourcing
no-it-version-available
Profile
Error 404!
Error 401!
Sharing personal data with EU companies may become more complicated
Page Content
published on 15 September 2020 | reading time approx. 8 minutes
Cross-border transfers of personal data are extremely important for Russian companies operating at the European market and having to interact with their EU counterparties.
In this regard, serious concerns were caused by the ruling issued by the Court of Justice for the European Union (CJEU) on 16 July 2020 on the lawsuit filed by the Irish Data Protection Commissioner against Facebook, in which the CJEU strikes down the agreement for cross-border transfers of personal data between the EU and the United States (“Privacy Shield Agreement”). The reason for this verdict was a complaint filed to the Irish Data Protection Commissioner by Max Schrems, an Austrian lawyer who was of an opinion that the US company collecting data on EU nationals and transferring them to the USA violates the right of the persons concerned to privacy. In the arguments supporting his complaint, Mr Schrems referred to the US law that allows the US secret services access to personal data of foreign nationals where these data are in the US territory - which permission comes in conflict with EU law. The CJEU agreed with the arguments presented in the complaint and cancelled the Privacy Shield Agreement as inconsistent with the personal data protection level established in the European Union.
It may seem at first glance that the ruling does not affect other countries - but this is not quite true. The cancellation of the Privacy Shield Agreement was still another reason for the Europeans to think about whether the arrangements for transfers of the personal data of EU citizens to third countries are safe in principle. The algorithm currently in effect for such cross-border transfers is the one prescribed by the European General Data Protection Regulation (GDPR). It can be described as follows:
If the European Commission has acknowledged that the country importing personal data ensures their adequate protection, their transfer to such country is possible without any further formalities. The European Commission has not made such a decision however in respect to Russia.
Unless the European Commission has decided that the level of protection ensured to personal data in the country concerned is adequate, data transfers are only possible where so-called appropriate safeguards are in place; the list of such safeguards can be found in Article 46 of the GDPR. The Regulation subdivides such safeguards into two groups: group one safeguards allow cross-border transfers of data without having to obtain a permission from the EU supervisory authorities, while group two safeguards trigger the requirement to obtain such a permission. The first group of appropriate safeguards includes:
Standard Contractual Clauses (SCC), meaning an agreement between the parties to the cross-border transfer of personal data (the controller and the processor or another controller);
Binding Corporate Rules (BCR), meaning sets of rules applying to cross-border data transfers within an international group of companies, an international holding with the head office in the EU, etc.;
a binding and enforceable instrument between public authorities or government agencies of the EU and the country importing the data;
an approved code of conduct developed in accordance with the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards;
an approved certification mechanism developed in accordance with the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.
2. The second group of safeguards includes:
contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
provisions to be inserted into administrative arrangements between public authorities or government agencies of the EU and the country importing the data, which include enforceable and effective data subject rights.
The SCC and the BCR are the most frequent arrangements for most market players.
The EU data protection authorities and the Court of Justice of the EU stated in the afore-mentioned ruling in the Schrems case that these mechanisms are still in effect - and they are currently in fact the principal way to organise legitimate transfers of personal data from the European Union. However, according to some experts, the existence of SCC in a contractual relationship does not give full assurance to the parties to a cross-border transfer. The reason is that it is now the responsibility of the data controller in the EU to make sure that the state importing personal data ensures an adequate data protection level. If the controller concludes that adequate protection is impossible to ensure in the third country concerned, they will not be allowed to transfer data across the border to the foreign processor. But even where the parties believe that the conditions required for data transfers are fulfilled, European controlling authorities may decide otherwise during the audit and cancel the SCC. Moreover, some experts believe that SCC are actually obsolete as the basis for cross-border data transfers and are likely to be reviewed soon.
As far as the BCR are concerned, this mechanism is only applicable to a narrow range of entities and therefore it is not suitable for most market players. In addition, European regulators do not believe that the BCR are able to ensure protection of personal data in third countries in all situations. For example, in case national authorities of the importing country request access to personal data, the processor may not refuse them referring to the existence of the valid BCR.
Thus, neither the SCC nor the BCR are able currently to ensure that the data transfer subjects will be free from possible claims from EU authorities.
3. Where no appropriate safeguards are in place, one of the
conditions
described in Article 49 of the GDPR, which covers derogations from the general algorithm, may be the basis for the cross-border transfer of personal data. This list covers the following situations:
the data subject has explicitly consented to the proposed data transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
the transfer is made from a register which, according to Union or Member State law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
From the perspective of business circles, the most popular situation from this list is
the personal data subject’s consent
to the cross-border transfer. According to the GDPR requirements, this consent must be informed and explicit. At the same time, the controller is obliged to inform the personal data subject of the possible risks of such transfers.
Data transfers on the basis of the data subject’s consent are currently the safest option in terms of possible public authority interventions. However, even the data subject’s consent does not rule out exposure to risks of audits. The regulators may have questions as to whether the consent was sufficiently informed and if the data subject was aware of all possible consequences of data transfers to a third country. Furthermore, it is highly probable that European authorities will limit the possibility of using this reason for data transfers in near future in order to prevent its systematic use by market players.
The foregoing shows that the data transfer mechanisms currently in place need to be improved and the general situation remains uncertain. The European Data Protection Board (EDPB), which has promised to issue proper explanations, is expected to clarify the issues raised. The scheduled date of their release is not yet known, but it is likely that they will only be released after some months.
Recommendations for Russian companies
In this regard, Russian companies are particularly interested in the algorithm of actions required in the existing situation. Based on the data available to date, we recommend that the following be done:
Switch to the SCC as soon as possible within the framework of your relationship you’re your European counterparties. Notwithstanding certain shortcomings, this mechanism is still in effect and remains the principal legitimate reason for data transfers.
Conduct an internal audit and take steps preparatory to possible changes in the infrastructure (review your contracts, etc.). The mechanism for cross-border data transfers from the EU is likely to be reformed in near future.
Monitor the situation, wait for clarifications from the EDPB and other competent authorities that will have to ensure clarity and specify further procedures.
Be prepared to receive diverse requests, recommendations and suggestions from your European counterparts, of which many are currently making efforts to bring their data transfer processes in compliance with the changing requirements of EU authorities.
CONTACT
Tatiana Vukolova
Lawyer
Associate Partner
+7 495 9335120
Invia richiesta
RÖDL & PARTNER RUSSIA
Discover more about our offices in Russia.
Read more »
DATA PROTECTION BITES
Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR.
Read all releases »
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
