The Regulation lays down the principles for transfer
of personal data that is undergoing processing or is
intended for processing after transfer to a third
country or to an international organisation. The
general principle for the transfers is that any
transfer may take place only if the conditions for
personal data transfer set forth under the
Regulation, including with respect to onward
transfers of personal data, are complied with by
the controller and processor.
A transfer of personal data may take place if the
third country or the international organisation in
question ensures an adequate level of protection
with respect to personal data. Similar provisions
were in place under Directive 95/46/EC of the
European Parliament and of the Council on the
protection of individuals with regard to the
processing of personal data and on the free
movement of such data (hereafter as “Directive”).
The adequacy of the level of protection with
respect to personal data can be approved under a
decision adopted by the European Commission. The
adequacy decisions that have been adopted remain
in force for an indefinite period until repealed or
amended. The currently effective decisions of the
European Commission pertain to: Andorra, Argentina, Canada, Switzerland, Israel, the islands
of Guernsey, Jersey, Isle of Man, New Zealand,
Uruguay, and to the special regulations governing
transfer of data between the European Union and
the US – the Privacy Shield.
The Privacy Shield is a new package of legislation
governing the transfer of personal data between
the European Union and the US that replaced the
previous one – the Safe Harbour. Under the Privacy
Shield decision, US processors wishing to process
personal data transferred from the European Union
must comply with the principles ensuring protection
of the privacy of individuals. The right to
information is one of the fundamental principles.
Individuals must be informed, among others, of the
type of data processed, purpose of the processing,
or the right of access to the data. Processors are
also required to publish their privacy policies.
A transfer of personal data may also take place in
the absence of a decision of the European
Commission. However, under such circumstances a
controller or processor may transfer personal data
only if the controller or processor has provided
appropriate safeguards, and on condition that
enforceable data subject rights and effective legal
remedies for data subjects are available. Such
safeguards may be provided for, among others, by a
legally binding and enforceable instrument between
public authorities or bodies or binding corporate
rules. Further, pursuant to the Regulation, a
transfer of personal data to a third country may
also take place in the absence of an adequacy
decision or appropriate safeguards. Under such
circumstances, a transfer of data may take place
only if one of the derogations for special situations
listed under the Regulation occurs. The Regulation
extends the list of the derogations. All the
derogations from prohibition on transfer of personal
data set forth under the Directive remain in force.
Additionally, a transfer of data may take place if it
is necessary for the performance of a contract
between the data subject and the controller or the
implementation of pre-contractual measures taken
at the data subject’s request; if the transfer is
necessary in order to protect the vital interests of
the data subject or of another natural person,
where the data subject is physically or legally
incapable of giving consent; and when the transfer
is necessary for the establishment, exercise or
defence of legal claims.
MILLER, CANFIELD,
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any
decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases.
The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other legal
development to the particular facts can be verified.