The Regulation lays down the principles for the transfer of personal data that is undergoing processing or is intended for processing after transfer to a third country or to an international organisation. The general principle for the transfers is that any transfer may take place only if the conditions for personal data transfer set forth under the Regulation, including with respect to onward transfers of personal data, are complied with by the controller and processor.
A transfer of personal data may take place if the third country or the international organisation in question ensures an adequate level of protection with respect to personal data. Similar provisions were in place under Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter referred to as the “Directive”). The adequacy of the level of protection with respect to personal data can be approved under a decision adopted by the European Commission. The adequacy decisions that have been adopted remain in force for an indefinite period until repealed or amended. The currently effective decisions of the European Commission pertain to: Andorra, Argentina, Canada, Switzerland, Israel, the islands of Guernsey, Jersey, Isle of Man, New Zealand, Uruguay, and to the special regulations governing the transfer of data between the European Union and the US – the Privacy Shield.
The Privacy Shield is a new package of legislation governing the transfer of personal data between the European Union and the US that replaced the previous one – the Safe Harbour. Under the Privacy Shield decision, US processors wishing to process personal data transferred from the European Union must comply with the principles ensuring protection of the privacy of individuals. The right to information is one of the fundamental principles. Individuals must be informed, among others, of the type of data processed, the purpose of the processing, and the right of access to the data. Processors are also required to publish their privacy policies.
A transfer of personal data may also take place in the absence of a decision of the European Commission. However, under such circumstances, a controller or processor may transfer personal data only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Such safeguards may be provided for, among others, by a legally binding and enforceable instrument between public authorities or bodies or binding corporate rules. Further, pursuant to the Regulation, a transfer of personal data to a third country may also take place in the absence of an adequacy decision or appropriate safeguards. Under such circumstances, a transfer of data may take place only if one of the derogations for special situations listed under the Regulation occurs. The Regulation extends the list of the derogations. All the derogations from the prohibition on transfer of personal data set forth under the Directive remain in force. Additionally, a transfer of data may take place if it is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request; if the transfer is necessary in order to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent; and when the transfer is necessary for the establishment, exercise, or defence of legal claims.