After the sentence of the European Union Court of Justice C-362/2014 of 6th October 2015 that invalidated the Safe Harbor Protocol related to international data transfers between Europe and the United States, data controllers should proceed to regularize data transfers usually carried out under this Protocol, as the Spanish Data Protection Agency is notifying in recent days.
In relation to international data transfers made to countries that do not provide an equivalent level of protection without authorization of the Director of the Spanish Data Protection Agency, except for those cases in which according to the legislation on data protection data such authorization is not necessary, these transfers can be classified as very serious infringements (Art. 44.4.d LOPD Act), punished with a fine of 300,001 up to 600,000 euros.
So, pending on negotiations between Europe and the United States aimed to adopt new mechanisms that allow international data transfers in accordance with the principles and provisions of the European Directive (Safe Harbor 2.0), any company carrying out international personal data transfers to the US (either to entities of the same group, or providers) shall proceed to regularize them with the Spanish Data Protection Agency.
To that end, data controllers should adopt one of the following options, as stated last November 6, 2015 by the European Commission:
1) Authorization from the Spanish Data Protection Agency Director:
Obligations decreed under the Data Protection Act (LOPD) must be complied, and it must also be established that sufficient reassurances have been obtained with regard to the protection of privacy of individuals and their rights and fundamental freedoms, and that the exercise of their rights is guaranteed (e.g providing written contract between the data exporter and importer stating such guarantees).
a) International Transfers between data controllers: Those contracts fully executed under the terms contained in the European Commission Decisions 2001/497/EC of June 15, 2001, and 2004/915/EC of December 27, 2004, by which the above changes have been set, must meet the mentioned guarantees. These decisions contain contractual clauses, which data controllers can choose for either set of clauses, or avoid them, but they cannot modify or combine them.
b) International Transfers between data controller and data processor: Those contracts that include the standard contractual clauses set out in the Commission Decision 2010/87 / EU of 5 February 2010, will meet these guarantees.
c) International Transfers between data processor and sub-processor: Those contracts that include the standard clauses adopted in the resolution of the Spanish Data Protection Agency of International Data Transfer Authorization (16th October 2012) will meet the said guarantees. Along with the contract between the data processor / exporter and data sub-processor / importer, a framework contract between the data controller and the processor/ exporter will be required, which shall authorize the subcontracting and the international data transfer.
In these cases, to seek authorization from the Spanish Data Protection Agency Director, it must be provided, in cases where it is requested by the File Manager: (i) Written request identifying the files to be transferred, code number with which it is registered in the Data Protection Registry, (ii) contract based on the contract terms signed by the parties (original copy or certified copy) and, where applicable, the Spanish sworn translation, (iii) sufficient powers of the signatories and, where appropriate, sworn translation into Spanish, in this case the files registration must be completely updated.
In cases where the exporter is considered responsible for the data processing, it must be provided: (i) Written application with identification of the exporter-data processor and importer-subprocessor, (ii) Contract based on the Contract Clauses signed by the parties (original copy or certified copy) and, where appropriate, official translation into Spanish, (iii) Framework Agreement between the controller and the data processor / exporter which authorizes him to subcontract and to do the international data transfer, where appropriate, official translation into Spanish, and (iv) Sufficient powers of the signatories and, where appropriate, sworn translation into Spanish.
In accordance with the current legislation on data protection, international transfers between companies within the same multinational group of companies, whenever they have adopted internal binding and enforceable rules for these companies under the Spanish law, may be authorized In this sense, the Royal Decree 1720/2007 of 21st December, which approves the Regulation that implements Law 15/1999 of 13 December (hereinafter, “RLOPD”) establishes (art. 70.4 is approved and Title IX, Chapter V) the legal regime applicable to them.
In this case, it must be taken into account the working papers drafted by the Group of the Article 29 on the content of the binding corporate rules and preliminary procedure, which takes place between different Member States involved to approve them.
2) Exceptions to the authorization of the Director of the Agency:
Additionally, it should be noted that Article 34 of the Data Protection Act and Article 66.2 of RLOPD establish a series of assumptions excepted prior authorization from the Director of the Spanish Data Protection Agency:
- When the international transfer results from the application of treaties or conventions in which Spain is a party.
- When the transfer is made with the purpose of lending or requesting international judicial aid.
- When the transfer is necessary for the prevention / medical diagnosis, the provision of healthcare or treatment or the management of health services.
- When it comes to money transfers under specific legislation.
- When the owner of the personal data has given his unambiguous consent to the proposed transfer.
- When the transfer is necessary for the implementation of a contract between the individual and the data controller or for the adoption of precontractual measures taken at the request of the affected.
- When the transfer is necessary for the conclusion or implementation of a contract concluded or to be concluded in the interests of the affected, by the data controller and a third party.
- When the transfer is necessary or legally required to safeguard a public interest (transfer requested by a tax or customs authority for the fulfillment of its competences).
- When the transfer is necessary for the establishment, exercise or defense of a right in a legal process.
- When the transfer is made, at the request of person with a legitimate interest, from a public registry and it is consistent with the purpose of it.
We must remember that the Spanish Data Protection Agency is contacting with the data controllers owners of the data subdued to the voided Safe Harbor Protocol, in order to proceed to the regularization of the corresponding international data transfers.
That being said, it is necessary to note that, although the international data transfers are adjusted as described, if the recipient of the information is a company located in the territory of the United States or has American nationality, the US authorities may require, in accordance with current regulations in the United States, indiscriminate access to the information, as recognized by the TJUE judgment, having been declared by the court itself the inadequacy with the European data protection regulation of this type of indiscriminate and without adequate prior justification accesses.
Accordingly, companies must undertake the necessary actions for the regularization process, in addition to the new mechanisms that can be adopted by the European Union and agreements that could be reached with the United States as long as these ensure compliance with the principles contained in the Directive, in order to guarantee the effective protection of the right of protection of citizens’ personal data.
Please click here to access this release in PDF format.
ECIJA Information Technology AREA
www.ecija.com