In London’s Piccadilly Circus, an advertising screen the size of two basketball courts detects the ages, genders and moods of passers-by and responds by displaying targeted ads. The process uses facial-recognition cameras hidden behind the Piccadilly Lights billboards to pick out faces in the crowd and assess which adverts might be of interest.
One of the data protection challenges that the GDPR law poses for organisations is the compliant transferring of data to countries outside the European Economic Area. The law does permit personal data transfers to what are known as third-party countries and international organisations, but there are various things to ensure first.
Every non-compliant data transfer that your organisation makes could result in a fine of up to 4% of global annual turnover – a serious punishment worth avoiding – so we’ve looked into what sort of restrictions and allowances will come into effect when the GDPR becomes law in May 2018.
For a data transfer to a third-party country to take place, Article 45 of the EU data protection regulation requires that the third-party country in question be considered (by the European Commission) to have adequate personal data protection measures in place. But there are a few circumstantial exceptions to this rule.
Binding Corporate Rules
‘BCRs’ permit the transfer of data within a multinational corporation, provided that the rules fulfil the outlined conditions and requirements.
Article 46 stipulates the conditions under which ‘binding corporate rules’ (BCRs) may be approved by a supervisory authority if they are ‘in accordance with the consistency mechanism set out in Article 63’.
If a code of conduct of an association or representative body is to be used to demonstrate compliance, it must first be approved by the appropriate supervisory authorities.
There are various derogations for third party transfers that relieve the requirement for specific authorisation of supervisory authority that are outlined in Article 47. For instance, a ‘legally binding and enforceable instrument between public authorities or bodies’ can provide the correct safeguards for a legal third-party GDPR data transfer.
Some of the more specific exemptions include:
- If the data subject is aware of the risks and explicitly consents to the data transfer. It is important to note that ‘Explicit consent’ is not ‘unambiguous consent’ – explicit consent “must specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer” (Directive 95/46/EC of the European Parliament).
- If the transfer is deemed necessary for reasons of public interest
- If the transfer is necessary to protect the vital interests of the data subject
- If the transfer is necessary to fulfil or exercise a legal claim
- If the transfer is necessary to conclude or fulfil the performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
- If the transfer that is intended to provide information to the public and which is open to consultation either by the public or any person who can demonstrate legitimate interest – according to the Union or Member State law.
Codes of conduct
If a code of conduct of an association or representative body is to be used to demonstrate compliance, it must first be approved by the appropriate supervisory authorities. It’s advisable for organisations who are considering this method of compliance to get a head-start and find (or create) a representative body or association to develop a code of conduct for later approval.
Codes of conduct that only effect a single member state must be submitted to the country’s appropriate supervisory authority for feedback and possible modification or elaboration.
Codes of conduct that cover data processing in numerous member states need to be submitted to the EDPB – The European Data Protection Board – for prior comment or elaboration before being sent to the European Commission for approval.