Difference between revisions of "Article 45 GDPR"

From GDPRhub
Line 218: Line 218:
 
==Commentary==
 
==Commentary==
  
=== Overview ===
+
===Overview===
 
Article 45 GDPR refers to the complex issue of international data transfers. The huge amounts of data transferred from the EU to third countries created the necessity to adopt provisions that could ensure the implementation of precautionary measures to protect the transfers. The level of protection that should be achieved is promoted and din Chapter V of the GDPR. On the basis of Art. 45 GDPR the European Commission has the power to determine, whether a country outside the EU offers an adequate level of data protection. The European Commission has so far recognised the following countries as providing adequate protection by means of ''''adequacy decisions'''<nowiki/>': Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The current adequacy decisions can be found [https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en here].
 
Article 45 GDPR refers to the complex issue of international data transfers. The huge amounts of data transferred from the EU to third countries created the necessity to adopt provisions that could ensure the implementation of precautionary measures to protect the transfers. The level of protection that should be achieved is promoted and din Chapter V of the GDPR. On the basis of Art. 45 GDPR the European Commission has the power to determine, whether a country outside the EU offers an adequate level of data protection. The European Commission has so far recognised the following countries as providing adequate protection by means of ''''adequacy decisions'''<nowiki/>': Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The current adequacy decisions can be found [https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en here].
  
=== Adequacy decision ===
+
===Adequacy decision===
 
Under Article 45, a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
 
Under Article 45, a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
  
==== Criteria ====
+
====Criteria====
 
In order to be granted with an adequacy decision, the country (or other geographical area - see above) must be able to ensure an adequate level of data protection. In performing the assessment, the European Commission takes into account different elements. Among these there are the national laws and the respect and protection of human rights and freedoms, national security, data protection laws, as well as the existence of a DPA or another kind of data protection body and the binding commitments or agreements that the country has applied nationally. In 2017, the Working Party 29 published a paper, endorsed by the EDPB, in which detects the principals and mechanisms that should exist in the data protection system of a third country or an international organisation to be considered as adequate. The principles include: (1) Basic data protection principles; (2) Lawful and fair processing for legitimate purposes, (3) The purpose limitation principle, (4) The data quality and proportionality principle, (5) The data retention principle, (6) The security and confidentiality principle, (7) The transparency principle, (8) The right of access, rectification, erasure and objection, (9) Restrictions on onward transfers.
 
In order to be granted with an adequacy decision, the country (or other geographical area - see above) must be able to ensure an adequate level of data protection. In performing the assessment, the European Commission takes into account different elements. Among these there are the national laws and the respect and protection of human rights and freedoms, national security, data protection laws, as well as the existence of a DPA or another kind of data protection body and the binding commitments or agreements that the country has applied nationally. In 2017, the Working Party 29 published a paper, endorsed by the EDPB, in which detects the principals and mechanisms that should exist in the data protection system of a third country or an international organisation to be considered as adequate. The principles include: (1) Basic data protection principles; (2) Lawful and fair processing for legitimate purposes, (3) The purpose limitation principle, (4) The data quality and proportionality principle, (5) The data retention principle, (6) The security and confidentiality principle, (7) The transparency principle, (8) The right of access, rectification, erasure and objection, (9) Restrictions on onward transfers.
  
 
The third countries don’t have to implement the exact, identical or equivalent measures of protection provided by the EU in order for their data protection system to be deemed adequate. The fundamental different ideas on the protection of personal data among the different states, in combination with the economic policy and entrepreneurial freedoms promoted by the EU, leave space for adaptation for the third countries. At the same time it must be noted that, an adequacy decision cannot regulate the exchange of data for the purpose of national security or the common foreign and security policy. <ref>Decision of the Com. 2004/535 / EG v. May 14, 2004, repealed by the ECJ ruling v. May 30, 2006 - C-317/04 and C-318/04 , EuZW 2006, 357</ref>
 
The third countries don’t have to implement the exact, identical or equivalent measures of protection provided by the EU in order for their data protection system to be deemed adequate. The fundamental different ideas on the protection of personal data among the different states, in combination with the economic policy and entrepreneurial freedoms promoted by the EU, leave space for adaptation for the third countries. At the same time it must be noted that, an adequacy decision cannot regulate the exchange of data for the purpose of national security or the common foreign and security policy. <ref>Decision of the Com. 2004/535 / EG v. May 14, 2004, repealed by the ECJ ruling v. May 30, 2006 - C-317/04 and C-318/04 , EuZW 2006, 357</ref>
  
==== Procedure ====
+
====Procedure====
 
The process in order to adopt an adequacy decision requires<ref>https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en</ref> a submission of a proposal from the European Commission, an opinion from the European Data Protection Board (EDPB), an approval from representatives of EU countries and finally the adoption of the decision by the European Commission. The significance of the decision is easy to be understood due to its effect. After the adoption of a decision personal data can flow from the EEA to a third country without the requirement of further safeguards needed. <ref>https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations</ref>
 
The process in order to adopt an adequacy decision requires<ref>https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en</ref> a submission of a proposal from the European Commission, an opinion from the European Data Protection Board (EDPB), an approval from representatives of EU countries and finally the adoption of the decision by the European Commission. The significance of the decision is easy to be understood due to its effect. After the adoption of a decision personal data can flow from the EEA to a third country without the requirement of further safeguards needed. <ref>https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations</ref>
  
 
The Commission can issue adequacy decisions for any country that is not an EU Member State or party to the EEA, or as the article provides a decision can be issued for an international organisation.  So far the Commission has issued adequacy decisions for a number of countries such as: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, while a partial adequacy decision has been issued for Canada.<ref>https://tietosuoja.fi/en/transfers-on-the-basis-of-an-adequacy-decision</ref> Adequacy talks were concluded with South Korea on 30 march 2021.  
 
The Commission can issue adequacy decisions for any country that is not an EU Member State or party to the EEA, or as the article provides a decision can be issued for an international organisation.  So far the Commission has issued adequacy decisions for a number of countries such as: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, while a partial adequacy decision has been issued for Canada.<ref>https://tietosuoja.fi/en/transfers-on-the-basis-of-an-adequacy-decision</ref> Adequacy talks were concluded with South Korea on 30 march 2021.  
  
==== Time of validity ====
+
====Time of validity====
 
Adequacy decisions have to be reviewed at least every four years while they can be repealed, amended, or suspended without a retroactive effect, when the third country or the organisation no longer ensures an adequate level of protection. The absence of a retroactive effect departures from EU law and avoids the disappearance of an EU act from the legal order from the date of entering into force (ex tunc). <ref>Lenaerts, Maselis and Gutman 2014, locations 18058 -18065</ref> Following the amendment or the repeal, the Commission has to enter into consultations with the third country or the international organisation in order to remedy the situation. <ref>The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 789</ref> All decisions concerning adequacy must be published in the official journal of the EU.  
 
Adequacy decisions have to be reviewed at least every four years while they can be repealed, amended, or suspended without a retroactive effect, when the third country or the organisation no longer ensures an adequate level of protection. The absence of a retroactive effect departures from EU law and avoids the disappearance of an EU act from the legal order from the date of entering into force (ex tunc). <ref>Lenaerts, Maselis and Gutman 2014, locations 18058 -18065</ref> Following the amendment or the repeal, the Commission has to enter into consultations with the third country or the international organisation in order to remedy the situation. <ref>The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 789</ref> All decisions concerning adequacy must be published in the official journal of the EU.  
  
==== Content ====
+
====Content====
 
An adequacy decision must contain a number of specific elements. <ref>Ibid. p. 785</ref> More precisely, it must contains at least:  
 
An adequacy decision must contain a number of specific elements. <ref>Ibid. p. 785</ref> More precisely, it must contains at least:  
  
Line 248: Line 248:
 
4.      Identification of the supervisory authority or of authorities holding the responsibility for ensuring and enforcing compliance with the data protection rules (Article 45(2)(b) and (3) GDPR).  
 
4.      Identification of the supervisory authority or of authorities holding the responsibility for ensuring and enforcing compliance with the data protection rules (Article 45(2)(b) and (3) GDPR).  
  
=== Schrems II ===
+
===Schrems II===
 
Regarding transfers to the USA: The European Commission and the US Department of Commerce negotiated special terms for data trasfers from the EU to the US in the framework of the ''''Privacy Shield'''<nowiki/>'. Transfers to the US are not allowed per se, but to companies in the USA that are participating the Privacy Shield. For this purpose companies have to commit to comply with the Principles of the Privacy Shield and self-certify to the US Department of Commerce. The validity of this framework was broadly discussed at the Court of Justice of the EU in the light of the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (case C-311/18, Schrems II). In the judgement issued by the court on 16 July 2020 it was decided and highlighted the importance of the maintenance of a high level protection of the data that are transferred from the EU to third countries. According to the court, <ref>https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe/</ref> the lack of necessary limitations and safeguards on the power of the authorities under US law, the primacy of US law enforcement requirements over those of the Privacy Shield (para. 164), the lack of an effective remedy in the US by EU data subjects (paras. 191-192), particularly in light of proportionality requirements (paras. 168-185) and the deficiencies in the Privacy Shield Ombudsman mechanism (paras. 193-197), should all lead to the invalidation of the Privacy Shield. The Court found that the Privacy Shield Decision was invalid (para. 201) with immediate effect (para. 202). <ref>https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation/</ref> As regards the enforcement of article 45, it was also stated in Schrems II judgement (para. 63), that an individual must be able to make a claim to a DPA contesting the compatibility of a data transfer based on an adequacy decision with the protection of privacy and fundamental rights, and the DPA must examine the claim with all due diligence.  
 
Regarding transfers to the USA: The European Commission and the US Department of Commerce negotiated special terms for data trasfers from the EU to the US in the framework of the ''''Privacy Shield'''<nowiki/>'. Transfers to the US are not allowed per se, but to companies in the USA that are participating the Privacy Shield. For this purpose companies have to commit to comply with the Principles of the Privacy Shield and self-certify to the US Department of Commerce. The validity of this framework was broadly discussed at the Court of Justice of the EU in the light of the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (case C-311/18, Schrems II). In the judgement issued by the court on 16 July 2020 it was decided and highlighted the importance of the maintenance of a high level protection of the data that are transferred from the EU to third countries. According to the court, <ref>https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe/</ref> the lack of necessary limitations and safeguards on the power of the authorities under US law, the primacy of US law enforcement requirements over those of the Privacy Shield (para. 164), the lack of an effective remedy in the US by EU data subjects (paras. 191-192), particularly in light of proportionality requirements (paras. 168-185) and the deficiencies in the Privacy Shield Ombudsman mechanism (paras. 193-197), should all lead to the invalidation of the Privacy Shield. The Court found that the Privacy Shield Decision was invalid (para. 201) with immediate effect (para. 202). <ref>https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation/</ref> As regards the enforcement of article 45, it was also stated in Schrems II judgement (para. 63), that an individual must be able to make a claim to a DPA contesting the compatibility of a data transfer based on an adequacy decision with the protection of privacy and fundamental rights, and the DPA must examine the claim with all due diligence.  
----[[Article 45 GDPR#%20ftnref1|[1]]] Decision of the Com. 2004/535 / EG v. May 14, 2004, repealed by the ECJ ruling v. May 30, 2006 - C-317/04 and C-318/04 , EuZW 2006, 357
+
----
 
 
[[Article 45 GDPR#%20ftnref2|[2]]] <nowiki>https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en</nowiki>
 
 
 
[[Article 45 GDPR#%20ftnref3|[3]]] <nowiki>https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations</nowiki>
 
 
 
[[Article 45 GDPR#%20ftnref4|[4]]] <nowiki>https://tietosuoja.fi/en/transfers-on-the-basis-of-an-adequacy-decision</nowiki>
 
 
 
[[Article 45 GDPR#%20ftnref5|[5]]] Lenaerts, Maselis and Gutman 2014, locations 18058 -18065.
 
 
 
[[Article 45 GDPR#%20ftnref6|[6]]] The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 789
 
 
 
[[Article 45 GDPR#%20ftnref7|[7]]] Ibid. p. 785
 
 
 
[[Article 45 GDPR#%20ftnref8|[8]]] <nowiki>https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe/</nowiki>
 
 
 
[[Article 45 GDPR#%20ftnref9|[9]]] <nowiki>https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation/</nowiki>
 
<br /><nowiki/><br />
 
 
 
 
==Decisions==
 
==Decisions==
 
→ You can find all related decisions in [[:Category:Article 45 GDPR]]
 
→ You can find all related decisions in [[:Category:Article 45 GDPR]]

Revision as of 10:05, 20 April 2021

Article 45 - General principle for transfers
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 45 - Transfers on the basis of an adequacy decision


1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Relevant Recitals

You can help us fill this section!

Commentary

Overview

Article 45 GDPR refers to the complex issue of international data transfers. The huge amounts of data transferred from the EU to third countries created the necessity to adopt provisions that could ensure the implementation of precautionary measures to protect the transfers. The level of protection that should be achieved is promoted and din Chapter V of the GDPR. On the basis of Art. 45 GDPR the European Commission has the power to determine, whether a country outside the EU offers an adequate level of data protection. The European Commission has so far recognised the following countries as providing adequate protection by means of 'adequacy decisions': Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The current adequacy decisions can be found here.

Adequacy decision

Under Article 45, a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.

Criteria

In order to be granted with an adequacy decision, the country (or other geographical area - see above) must be able to ensure an adequate level of data protection. In performing the assessment, the European Commission takes into account different elements. Among these there are the national laws and the respect and protection of human rights and freedoms, national security, data protection laws, as well as the existence of a DPA or another kind of data protection body and the binding commitments or agreements that the country has applied nationally. In 2017, the Working Party 29 published a paper, endorsed by the EDPB, in which detects the principals and mechanisms that should exist in the data protection system of a third country or an international organisation to be considered as adequate. The principles include: (1) Basic data protection principles; (2) Lawful and fair processing for legitimate purposes, (3) The purpose limitation principle, (4) The data quality and proportionality principle, (5) The data retention principle, (6) The security and confidentiality principle, (7) The transparency principle, (8) The right of access, rectification, erasure and objection, (9) Restrictions on onward transfers.

The third countries don’t have to implement the exact, identical or equivalent measures of protection provided by the EU in order for their data protection system to be deemed adequate. The fundamental different ideas on the protection of personal data among the different states, in combination with the economic policy and entrepreneurial freedoms promoted by the EU, leave space for adaptation for the third countries. At the same time it must be noted that, an adequacy decision cannot regulate the exchange of data for the purpose of national security or the common foreign and security policy. [1]

Procedure

The process in order to adopt an adequacy decision requires[2] a submission of a proposal from the European Commission, an opinion from the European Data Protection Board (EDPB), an approval from representatives of EU countries and finally the adoption of the decision by the European Commission. The significance of the decision is easy to be understood due to its effect. After the adoption of a decision personal data can flow from the EEA to a third country without the requirement of further safeguards needed. [3]

The Commission can issue adequacy decisions for any country that is not an EU Member State or party to the EEA, or as the article provides a decision can be issued for an international organisation.  So far the Commission has issued adequacy decisions for a number of countries such as: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, while a partial adequacy decision has been issued for Canada.[4] Adequacy talks were concluded with South Korea on 30 march 2021.  

Time of validity

Adequacy decisions have to be reviewed at least every four years while they can be repealed, amended, or suspended without a retroactive effect, when the third country or the organisation no longer ensures an adequate level of protection. The absence of a retroactive effect departures from EU law and avoids the disappearance of an EU act from the legal order from the date of entering into force (ex tunc). [5] Following the amendment or the repeal, the Commission has to enter into consultations with the third country or the international organisation in order to remedy the situation. [6] All decisions concerning adequacy must be published in the official journal of the EU.

Content

An adequacy decision must contain a number of specific elements. [7] More precisely, it must contains at least:

1.      A statement that the third country or the international organisation ensures adequate protection through its domestic law and regulations.

2.      The territorial and sectoral application of the decision (Article 45(3)).

3.      A mechanism for periodic review.

4.      Identification of the supervisory authority or of authorities holding the responsibility for ensuring and enforcing compliance with the data protection rules (Article 45(2)(b) and (3) GDPR).

Schrems II

Regarding transfers to the USA: The European Commission and the US Department of Commerce negotiated special terms for data trasfers from the EU to the US in the framework of the 'Privacy Shield'. Transfers to the US are not allowed per se, but to companies in the USA that are participating the Privacy Shield. For this purpose companies have to commit to comply with the Principles of the Privacy Shield and self-certify to the US Department of Commerce. The validity of this framework was broadly discussed at the Court of Justice of the EU in the light of the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (case C-311/18, Schrems II). In the judgement issued by the court on 16 July 2020 it was decided and highlighted the importance of the maintenance of a high level protection of the data that are transferred from the EU to third countries. According to the court, [8] the lack of necessary limitations and safeguards on the power of the authorities under US law, the primacy of US law enforcement requirements over those of the Privacy Shield (para. 164), the lack of an effective remedy in the US by EU data subjects (paras. 191-192), particularly in light of proportionality requirements (paras. 168-185) and the deficiencies in the Privacy Shield Ombudsman mechanism (paras. 193-197), should all lead to the invalidation of the Privacy Shield. The Court found that the Privacy Shield Decision was invalid (para. 201) with immediate effect (para. 202). [9] As regards the enforcement of article 45, it was also stated in Schrems II judgement (para. 63), that an individual must be able to make a claim to a DPA contesting the compatibility of a data transfer based on an adequacy decision with the protection of privacy and fundamental rights, and the DPA must examine the claim with all due diligence.


Decisions

→ You can find all related decisions in Category:Article 45 GDPR

References