Are there restrictions on the transfer of personal data overseas?
Transferring personal data is essentially a processing operation which must be notified to the Commissioner. If such data is transferred to an EU Member State, a country which is a member of the EEA, or to a third country provided that such third country is recognised as having an adequate level of protection, no restrictions or other formalities apply as long as the provisions of the DPA are complied with. The Commissioner has the power to assess whether such an adequate level of protection exists in order to allow transfer of personal data to a third country. A transfer of personal data to a third country not ensuring an adequate level of protection may still be carried out, provided that the data subject has given his unambiguous consent or if the transfer is necessary for certain specified circumstances which the DPA provides for, such as for the performance of the contract which is to be concluded in the interests of the data subject, amongst others. In any case, the Commissioner may authorise the transfer of personal data to a third country that does not ensure an adequate level of protection, if he is satisfied that the controller offers adequate safeguards by means of standard contractual clauses, which are deemed to be sufficient in protecting the privacy and fundamental rights and freedoms of individuals.
With respect to transfers of personal data from Malta to the United States (‘U.S.’), as long as the entities to which data is being transferred within the U.S. comply with the EU-U.S. Privacy Shield, which became operational on 1 August 2016, then mere notification to the Commissioner is required.
In the event that data needs to be transferred within a multinational organisation, Binding Corporate Rules are seen to be a valuable tool should data be transferred regularly and can be adopted without having to sign a separate agreement with each intra-group entity for each processing operation requiring an international data transfer.
The Personal Data Act Chapter V governs the transfer of personal data to other countries. Section 29 of the Act prescribes that the transfer of personal data to another country mandates that said country is capable of ensuring an adequate level of protection of the data in question. The assessment of the adequacy of the level of protection shall be based on the nature of the personal data, the purpose and duration of the proposed processing and the rules of law and the professional rules and security measures that apply in the country in question.
Countries that have implemented Directive 95/46/EC are deemed to fulfil the requirement with regard to an adequate level of protection. These include the 28 EU countries and the three EEA member countries (Norway, Liechtenstein and Iceland).
Furthermore, the European Commission has determined, through a series of Commission decisions, that a number of countries fulfil the abovementioned requirement. At the time of the publication of this guide, these countries include Andorra, Argentina, Canada (commercial organisations), the Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Where a Norwegian entity wishes to transfer personal data to a receiving party in the United States, such transfer is allowable where the receiving party is certified under the EU-U.S. Privacy Shield Framework, cf. https://www.commerce.gov/tags/eu-us-privacy-shield for a complete list of all certified entities.
Except as provided above, the transfer of personal data overseas usually entails an application to the Norwegian Data Protection Authority, providing safeguards for the protection of the rights of the data subject concerned. Depending on the situation, the transferring party may choose to utilise the EU Model Contracts for the transfer of personal data to third countries. By using the Model Contracts for the transfer of personal data to a data processor, the transferring party need only to notify the Data Protection Authority of the transfer itself.
Where the transfer is between a group of companies, the transferring party may choose to transfer the personal data under Binding Corporate Rules (BCR). While not mentioned in the Directive 95/46/EC nor the Personal Data Act, BCR is usually accepted where they provide sufficient safeguards for the protection of the rights of the data subject concerned. The Data Protection Authority, as well as at least one other Data Protection Authority within the European Economic Area, must approve the BCR prior to it being used as basis for the transfer of personal data.
In accordance with Section 30 of the Act, personal data may also be transferred to countries that do not ensure an adequate level of protection if, inter alia, the data subject has consented to the transfer or the transfer is necessary in order to establish, exercise or defend a legal claim.
The Data Protection Authority may allow the transfer of personal data even if the aforementioned requirement are not fulfilled, where the data controller provides adequate safeguards with respect to the protection of the rights of the data subject. The Data Protection Authority may stipulate requirements for the transfer.
Personal data must not be transferred to foreign countries without the data subject's explict consent. However, personal data can be transferred outside Turkey without the consent of the data subject if any of the seven grounds referred to in Question 8 exists and if either:
- There is an adequate level of data protection in the foreign country or
- The data controllers in Turkey and the receiving country undertake that the data will be protected in writing, and the approval of the Data Protection Authority is obtained.
The list of countries which provide adequate level of data protection has not yet been published by the DPA as of 20 July 2017.
The Cyber Security Law introduces the rule of data localization for operators of Critical Information Infrastructure’ (CII). Personal information and important data which is collected and generated by operators of CII during operating their business in China should be stored in China. CII means the infrastructures used for public communications, information service, energy, transport, water conservancy, finance, public services, e-government affairs and other important industries and fields and other infrastructures that, once they are destroyed or any function loss of data leakage occurs, will result in serious damage to national security, national economy and people's livelihood and public interests. Where there is a business necessity and the entity needs to transfer the personal information and important data to overseas, it should conduct a security assessment process.
The Measures for the Security Assessment of Personal Information and Critical Data Cross-border Transfer and the Guidelines for the Security Assessment of Data Cross-border Transfer provides further guidance on how the security assessment might be carried out.
The Mexican Data Protection Law provides that when a data controller intends to transfer personal data to a domestic or foreign third party, other than the data processor (individual or entity who processes personal data on behalf of the data controller, individually or jointly with others), it must provide them with the privacy notice and the purposes for which the data subject has limited the processing of such data.
Any data transfer, whether national or international, is subject to: (i) the consent of the data subject, with the exceptions provided by the applicable law; (ii) the data subject must be informed of the transfer through the privacy notice; and (iii) the transfer shall be limited to the purposes disclosed to the data subject.
National and international transfers of personal data shall be formalized/documented. The formalization of national and international transfers may be done through clauses or agreements that establish: (i) that the data controller informs the importer of the conditions under which the data subject consented the processing of his/her personal data; and (ii) that the importer assumes the same obligations as those of the data controller.
It is important to note that data transfers are not subject to prior authorization of the DPA, in this case the INAI. Nevertheless, under certain circumstances, a data controller may request the opinion of the INAI to confirm that an international transfer complies with the Mexican data protection laws.
Under the Mexican Data Protection Law, there are no “third countries” as provided in the EU law (GDPR). No special or prior authorization is required to transfer data outside the Mexican territory. However, as mentioned before, data transfers, shall be documented/formalized in clauses or agreements between the data exporter and the data importer.
Yes, if such data would then be going to a processor outside the EEA. In such event, extra-territorial transfers would only be permissible if:
- the data subject consents;
- the transfer is essential for a contract to which the data subject is a party;
- the transfer is essential for a different contract but it serves the data subject's interests;
- the transfer is legally required/essential to an important public interest;
- the non-EEA jurisdiction provides "adequate protections" (eg has laws commensurate with those in the UK/EU);
- the transfer is pursuant to "standard contractual clauses" approved by the European Commission;
- the transfer is to the US in compliance with the "Privacy Shield" programme.
Yes. The transfer of personal data abroad by the data controller is subject to a prior notification to the Data Protection Agency. In such cases the Data Protection Agency will assess the adequate level of protection of personal data on a case by case basis, by taking into consideration the nature of the data to be transferred, the processing scope and the proposed duration of the processing.
According to the Data Protection Act, data may be transferred abroad only provided that the State towards which the transfer is made ensures an adequate level of protection.
The Data Protection Agency may approve the transfer of personal data to another State that does not provide the same level of protection as Romania only if satisfactory guarantees with regard to a person's fundamental rights are provided by the data controller.
The transfer of personal data can be made only in the following situations:
- based on the adequacy status of the third country conferred by the European Commission;
- where the data subject has given explicit consent;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
- the transfer is necessary or legally required on important public interest grounds, public order or national security provided if the personal data is processed for this purpose and not longer than necessary;
- the transfer is necessary in order to protect the life, physical integrity or health of the data subject;
- the transfer is made based on requested access to official documents which are open to the public or by a request of information from public records.
Under the Privacy Code, personal data can be transferred with no restrictions to (i) any European Economic Area (EEA) country; or (ii) any non-EEA country which has been recognized by the European Commission as a country ensuring an adequate level of protection; or (iii) any US data importer which is a Privacy Shield certified entity. Personal data cannot be transferred to other non-EEA countries unless: (i) the data exporter and the data importer belongs to a group of companies which has adopted the so called binding corporate rules; or (ii) the data exporter and the data importer have entered into the standard contractual clauses approved by the European Commission and the DPA; or (iii) the data exporter and the data importer have entered into a different data transfer agreement that has been specifically approved by the DPA. Furthermore, personal data can be transferred to other non-EEA countries, among other marginal cases, if a) the data subject has given his/her consent either expressly or, where the transfer concerns sensitive data, in writing; or b) the transfer is necessary for the performance of obligations resulting from a contract to which the data subject is a party; or (c) the transfer is necessary to establish or defend a legal claim. However, the exemptions mentioned in points a), b) and c) above shall apply only where transfers are neither recurrent, nor massive or structural.
Under the GDPR, similar transfer restrictions will apply and the existing methods of ensuring an adequate level of protection will remain broadly unchanged. In addition to such methods, the GDPR will introduce the possibility of transfers being made where there is an approved code of conduct or certification mechanism, together with binding and enforceable commitments of the data controller or the data processor that is outside the EEA to apply appropriate safeguards.
Yes. A transfer of personal data to a country outside the EEA that does not provide for an adequate level of protection may only take place if additional requirements have been met. For example, a data transfer agreement based on EC Model Clauses or other additional safeguards may be necessary.
Yes. Under MOCI Regulation No. 20 of 2016 regarding Protection of Personal Data in Electronic Systems (December 1, 2016) (“MOCI Reg”), the transfer of personal data overseas requires the local transferor to satisfy a coordination requirement with the MOCI and to fulfil any regulatory provision regarding the cross-border transfer of personal data (i.e., consent). The coordination requirement consists of:
- reporting any plan to transfer personal data, which must contain at least the clear name of the receiving country, the full name of the receiver, date of implementation, and reason/purpose of the transfer;
- requesting advocacy, if necessary; and
- reporting the result of the transfer.
As per the Privacy Rules, transfer of sensitive personal data or information is permitted to an entity subject to the following: (a) it is necessary for the performance of the lawful contract between the transferor and the provider of information or where the provider has consented to such data transfer; and (b) the transferee should adhere to the same level of data protection as the transferor.
Transfer of personal data is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001. Personal data may not be transferred overseas, unless the law of the recipient’s country ensures a level of protection which is no less than the level of protection of personal data provided by Israeli law. However, a data-owner may also transfer personal data overseas if: (a) the data-subject has consented to the transfer; (b) the data-subject’s consent cannot be obtained, and the transfer is essential for the protection of his/her health or physical wellbeing; (c) transfer is to a corporation under the control of the database-owner, and such corporation has guaranteed the protection of privacy after the transfer; (d) transfer is to an entity which has contractually agreed to comply with the Israeli law provisions governing the processing and use of such data as applied to a database located in Israel; (e) the data was made publically available or was opened for public inspection by a legal authority; (f) transfer is essential for public safety or security; (g) transfer is required by Israeli Law; or (h) transfer is: (1) to a country which is party of the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data; (2) to a country which duly receives information from a member state of the European Committee under the same terms of acceptance; or (3) in relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette, that it has an authority for the protection of privacy, after reaching an arrangement for cooperation with the said authority.
Following the cancelation of the EU-US Safe Harbour (in October 2015), the Israeli Law, Information and Technology Authority ("ILITA") has issued a statement that exemption (h)(2) above can no longer be used for the transfer of data overseas, and if necessary – a data-owner should qualify such transfer by using the other existing exemptions. However, the official wording of the applicable regulations remained unchanged. It should be noted that ILITA has not officially recognized the applicability of the EU-US Privacy Shield as adequate in Israel and hence use of this vehicle to transfer personal data from Israel to the US is questionable.
Yes. If any personal data collected will be transferred out of Singapore, the transferring organisation has to ensure that the recipient organisation overseas provides a standard of protection to the personal data transferred that is comparable to that under the PDPA. This may be achieved by either:
(a) entering into a legally binding agreement with the recipient;
(b) ensuring that the recipient is under binding corporate rules that prescribe a similar level of protection; or
(c) verifying that the applicable law, in the jurisdiction that the personal data will be transferred to, provides a level of protection that is comparable to the PDPA.
The Personal Data Protection Commission ("PDPC"), the statutory body responsible for the administration and enforcement of the PDPA, recommends that when entering into a legally binding agreement with the recipient, the transferring organisation should, as a minimum, ensure certain key PDPA principles are protected.
In addition, the organisation is required to seek the individual's consent to the transfer of the individual's personal data overseas and, prior to seeking that consent, the organisation is required to provide the individual with a reasonable summary in writing of the extent to which the personal data transferred to those countries will be protected to a standard comparable to the protection under the PDPA.
The transfer of personal data out of the territory of the European Union is prohibited unless the destination country or the recipient provides a level of protection considered as sufficient, that is, equivalent to the protection afforded within the EU. Please note that providing remote access to data from abroad, irrespective of where data is stored, is considered as a transfer.
Transfers may take place only under certain conditions defined by EU legislation, such as:
- according to a decision of the EU Commission, the non-EEA jurisdiction provides "adequate protection" (e.g. has laws commensurate with those of the EU State members);
- the transfer is governed by the "standard contractual clauses" approved by the European Commission; or
- the data is transferred to the US and in compliance with the "Privacy Shield" program.
Current and future legislation provides for exceptions to the prohibition to transfer data, if the data subject expressly consents to the transfer, or where the transfer is necessary for instance:
- to safeguard the life of the data subject;
- to safeguard public interest;
- to ensure compliance with obligations that allow the acknowledgement, exercise or defense of a right before courts;
- for the performance of a contract between the data controller and the data subject;
- for the execution or the performance of an agreement in the interest of the data subject but between the data controller and a third party.
Germany applies restrictions on the transfer of personal data overseas. These are grounded in sections 4b and 4c of the BDSG, which differ between data transfer inside the EU/EEA countries and to other countries outside of the EU. For such other countries, there is again a differentiation between such having a level of data protection comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context. This means that the permissions of the BDSG will be replaced by Article 44 et. segg. GDPR in accordance with the current legal framework.
Personal data may only be transferred to a recipient in an unsafe country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available. In practice the most common measure is the implementation of the EU model clause. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA have established the so-called “EU-US Privacy Shield” since August 2016. It provides for an opportunity for US companies which would like to receive data from the EU to register in a list of the US Federal Trade Commission (FTC) and thereby commit to comply with the fundamental principles of EU data protection laws. The Privacy Shield has replaced the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). As many principles of Safe Harbor are again found in the Privacy Shield, some scholars are of the opinion that there is a risk that also the Privacy Shield may be successfully challenged in the European Courts.
Personal data may only be transferred outside Switzerland if the privacy of the data subject is not seriously endangered, in particular due to the absence of legislation that guarantees adequate protection in the jurisdiction where the recipient resides. The Federal Data Protection and Information Commissioner (FDPIC) has published a list of jurisdictions that provide adequate data protection (www.edoeb.admin.ch/themen/00794/00827/index.html?lang=en). The EEA countries and Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay are generally considered to provide an adequate level of data protection as regards personal information of individuals (however, many do not as regards personal information of legal entities), while the laws of all other jurisdictions do not provide adequate data protection.
As regards the US, Switzerland and the US in February 2017 agreed on the Swiss-US Privacy Shield as a new framework for the transfer of personal data from Switzerland to the US, thereby replacing the US-Swiss Safe Harbor Framework. US companies processing personal data may self-certify to the Swiss-US Privacy Shield with the US Department of Commerce and thus publicly commit to comply with the new framework. Switzerland acknowledges that the level of protection of personal data for such certified US companies is adequate. As a result, Swiss companies are able to transfer personal data to those US business partners without the need to procure the consent of each data subject or to put additional measures in place.
In the absence of legislation that guarantees adequate protection, personal information may only be transferred outside Switzerland if sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad, the data subject has consented in the specific case, the processing is directly connected with the conclusion or the performance of a contract (and the personal information is that of a contractual party) or disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules (further justifications apply). In practice, data transfer agreements or data transfer clauses (i.e. binding corporate rules) are regularly used to ensure an adequate level of protection in cross-border data flows within the same legal person or company or between legal persons or companies that are under the same management. It is the responsibility of the data transferor to ensure that an agreement is concluded that sufficiently protects the rights of the data subjects and to notify such agreements to the FDPIC. The FDPIC provides a model data transfer agreement which can be accessed on its website. The model data transfer agreement is based on Swiss law and reflects to a large extent the standard contractual clauses of the European Commission for data transfers.
First, as previously stated, there is no legislation that specifically regulates personal data; however, the protection of personal data is right of the citizens enshrined in the Constitution. Thus, and based on the legislation referred to above, personal information can only be transmitted overseas with the previous and express authorization of its owner. It is important to note that the consent must be free of vices.