Whether the data may be transferred abroad will mainly depend if the destination country belongs to the European Economic Area.
Data transfer within the European Economic Area
Inside the European Economic Area (European Union Member States + Iceland, Norway and Liechtenstein) a free flow of data is guaranteed. In other words: it is always permitted to transfer the personal data between these countries.
Data transfer outside the European Economic Area
In principle, transferring the personal data outside the European Economic Area is permitted only if several requirements are fulfilled. The main condition is whether the country of destination ensures adequate level of personal data protection in its territory.
- Such an adequate level is evaluated by taking into account all the circumstances concerning a data transfer operation, especially the:
- nature of the data, purpose and duration of the proposed data processing operations
- country of origin and the country of final destination
- legal provisions of the third country
- security measures and professional rules applied in the third country
Furthermore, the adequate level of protection does not need to be assessed if the data transfer to a non-EEA country results from an obligation imposed by legal provisions or ratified international agreements that guarantee adequate level of data protection, or in the following situations:
- expression of the data subject’s written consent
- transfer is necessary for the performance of a contract:
- between the data subject and the controller
- which takes place in response to the data subject’s request, or
- which is concluded in the interests of the data subject between the controller and another subject
- transfer is necessary or required by reasons of public interests or for the establishment of legal claims
- transfer is necessary for the protection of the data subject’s vital interests
- transfer relates to data which are publicly available
In any other cases, the Inspector’s General consent by means of an administrative decision will need to be obtained. Such data transfer may be initiated only after the Inspector’s General have consented to it. Any transfers performed before his/her decision are not legalized by a positive decision.
While considering the request for the transfer, the Inspector General must assess if the controller provides adequate safeguards protecting data subject’s privacy, rights and freedom. Such assessment takes into account the same principles that are used in the general assessment of the data protection level in a third country. The controller can ensure an adequate level of protection, primarily through the adoption of appropriate contractual obligations.
The Inspector General’s consent is not needed if the controller ensures adequate safeguards by either the standard contractual clauses on personal data protection, or binding corporate rules, which were already approved by the Inspector General.