GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) π
Read free book Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ». Author - Adv. Prashant Mali
The mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
The cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
The mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
The appropriate data protection training to personnel having permanent or regular access to personal data.
The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Suitable Recitals
(110) Binding corporate rules.
COMMENTARY:
It should be recalled that BCR-P (BCRs for processors) apply to data received from a controller established in the EU which is not a member of the group and then processed by the group members as processors and/or sub processors; whereas BCRs for Controllers (BCR-C) are suitable for framing transfers of personal data from controllers established in the EU to other controllers or to processors established outside the EU within the same group. Hence the obligations set out in the BCR-P apply in relation to third party personal data that are processed by a member of the group as a processor according to the instructions from a non-group controller.
Taking into account that Article 47.2 of the GDPR lists a minimum set of elements to be contained within a BCR, this amended table is meant to: - Adjust the wording of the previous referential so as to bring it in line with Article 47 GDPR, - Clarify the necessary content of a BCR as stated in Article 47 and in document WP 2041 adopted by the WP29 within the framework of the Directive 95/46/EC, - Make the distinction between what must be included in BCRs and what must be presented to the competent Supervisory Authority in the BCRs application (document WP 195a2), and - Provide explanations/comments on each of the requirements. Article
47 of the GDPR is clearly modeled on the Working documents relating to BCRs adopted by the WP29. However, it specifies some new elements that need to be taken into account when updating already existing approved BCRs or adopting new sets of BCRs so as to ensure their compatibility with the new framework established by the GDPR.
Binding Corporate Rules (BCRs) are an intra company code of conduct that regulates the principles and rules that apply to the processing and transfer of personal data within a company group, including cross-border. BCRs were established through the standard practice of data protection authorities (DPAs) and the guidance of the Article 29 Working Party (WP29). The upcoming General Data Protection Regulation (GDPR) explicitly recognizes BCRs, both for controllers (BCR-
C) and processors (BCR-P). It also extends the scope of application not only to a corporate group but also to a group of enterprises engaged in a joint economic activity, for instance joint ventures.
After WP29 endorsed BCR-C as a useful mechanism for data transfers of complex international structures in 2003, several companies adopted them. Instead of having to justify international transfers on an individual basis, and concluding model contracts with numerous parties, BCRs allow a single set of transfer rules for
the entire company group. In todayβs interconnected world, it is increasingly important to easily transfer data wherever needed, and BCRs offer the flexibility required for such elaborate transfers.
A framework for BCR-Ps was introduced much later, in 2012, and their further inclusion in the GDPR was fiercely debated. In endorsing their inclusion, WP29 praised the merits of BCR-P as an optimal solution for international data transfers. At the same time, WP29 held that BCR-P provides more transparency and accountability requirements beyond those provided in model clauses or other transfer mechanisms (e.g., the current Privacy Shield).
Increased Flexibility
BCRs will become more flexible under the GDPR. Under the current regime, countries have to first approve their BCRs in all relevant countries through mutual recognition or a cooperation procedure. They still need to obtain national DPA authorizations in certain countries to allow for the transfer of personal data under the BCRs. These transfer permits only allow specific transfers, and any time a company wants to expand or alter its transfers, a new notification and permitting procedure is required. Making things more complicated, BCRs are not recognized in Portugal as a valid legal basis to transfer personal data outside of the European Economic Area (EEA).
The GDPR does not contain DPA notification and authorization requirements for data transfers. National authorizations of BCRs will be abolished, which will significantly reduce the time required to introduce a BCR and will increase flexibility altogether. Because of the direct applicability of the GDPR in all EU member states, any remaining inconsistencies (e.g., Portugal) will be automatically ironed out. As a result, processors will likely increasingly rely on BCR-Ps to justify transfers outside the EEA since they will be able to engage in practically unlimited data transfers within their company groups.
Demonstrate Accountability
Under the GDPR, the data transfer rules are also directly applicable to processors. Processors should, therefore, no longer be dependent on data transfer mechanisms put in place by controllers, but rather have their own tools available to comply with these requirements. Besides, WP29 has indicated that a BCR is an organizational accountability tool that has many merits beyond contractual solutions such as the EC model clauses. For intragroup transfers, BCR-P not only provides a good basis for transfers but also helps demonstrate broader compliance with the GDPR, for instance the principles of accountability, lawfulness of processing, general processing requirements, and security of processing.
Meet the By-Default and By-Design Requirement and Avoid High Fines
GDPR refers to the requirement of ensuring data protection by design and by default. Therefore, companies should introduce appropriate technical and organizational measures so that all the data protection principles are met. This is a
relatively wide concept, and high GDPR fines (up to 4% of a companyβs global turnover or β¬20 million, whichever is higher) leave no room for experimentation.
To this end, the GDPR provides that an approved certification mechanism, like a BCR-P, may be used as an element to demonstrate compliance with the by-design and by-default requirements. This tangible uplift in compliance may save companies substantial amounts of money.
Reduce a Companyβs Operational Cost and Administrative Burden
A BCR-P can also reduce a companyβs overall operational cost. While a processor, a company may be required to make several cross-border transfers across the globe. If it opts for Model Clauses, for example, the overall cost of the process will be higher, and the administrative burden of dealing with several different schemes particularly heavy. The cost of a BCR is significant in the beginning, yet once in place, less time and money is required for daily company operations.
Enhance Customer Confidence
A BCR is a very detailed code of conduct that exposes a companyβs policies and procedures to regulators and the public. Once enforced, a BCR signals to customers that the company takes its data protection duties very seriously and that their data is in safe hands. Processors may operate in various sensitive industries (e.g., financial services, telecoms, technology) where reputation is extremely important and may have a significant impact on a companyβs viability and profitability. BCRs communicate a transparent, robust, and holistic data protection approach.
Future Procedural Flexibility
The GDPR gives leeway to the European Commission, upon consultation with the newly introduced European Data Protection Board (EDPB), to create procedural rules in the future to better facilitate the approval process. Since the European Commission may specify the format and procedures for BCR-Ps, it is likely we will experience model BCR approval procedures, which may streamline the BCR approval process even further.
Art. 48 GDPR Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
Suitable Recitals
(115) Rules in third countries contrary to the Regulation.
COMMENTARY:
There is no analogous provision under the Directive. To understand whether or not Art. 48 will complicate discovery requires not only understanding how the EU will interpret and apply this provision and its requirements, but also how courts in the other country will interpret the Article. As explained, the legislative bodies have ultimately decided to include Art. 48 in order to specifically regulate requests from a court, tribunal, or administrative authority, which is based in a third country (i.e., a country outside of the European Economic Area).
Since such provision cannot be found in the Directive 95/46/EC, as the current data protection regime in the EU which national laws are based on, it is questionable how the new Art. 48 will be interpreted and if and how it will ultimately change the legal requirements when it comes to dealing with discovery requests from third countries.
Art. 49 GDPR Derogations for specific situations
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subjectβs request;
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
The transfer is necessary for important reasons of public interest;
The transfer is necessary for the establishment, exercise or defence of legal claims;
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories
Comments (0)