Are there restrictions on the transfer of personal data overseas?
Transferring personal data is essentially a processing operation which must be notified to the Commissioner. If such data is transferred to an EU Member State, a country which is a member of the EEA, or to a third country provided that such third country is recognised as having an adequate level of protection, no restrictions or other formalities apply as long as the provisions of the DPA are complied with. The Commissioner has the power to assess whether such an adequate level of protection exists in order to allow transfer of personal data to a third country. A transfer of personal data to a third country not ensuring an adequate level of protection may still be carried out, provided that the data subject has given his unambiguous consent or if the transfer is necessary for certain specified circumstances which the DPA provides for, such as for the performance of the contract which is to be concluded in the interests of the data subject, amongst others. In any case, the Commissioner may authorise the transfer of personal data to a third country that does not ensure an adequate level of protection, if he is satisfied that the controller offers adequate safeguards by means of standard contractual clauses, which are deemed to be sufficient in protecting the privacy and fundamental rights and freedoms of individuals.
With respect to transfers of personal data from Malta to the United States (‘U.S.’), as long as the entities to which data is being transferred within the U.S. comply with the EU-U.S. Privacy Shield, which became operational on 1 August 2016, then mere notification to the Commissioner is required.
In the event that data needs to be transferred within a multinational organisation, Binding Corporate Rules are seen to be a valuable tool should data be transferred regularly and can be adopted without having to sign a separate agreement with each intra-group entity for each processing operation requiring an international data transfer.
The Personal Data Act Chapter V governs the transfer of personal data to other countries. Section 29 of the Act prescribes that the transfer of personal data to another country mandates that said country is capable of ensuring an adequate level of protection of the data in question. The assessment of the adequacy of the level of protection shall be based on the nature of the personal data, the purpose and duration of the proposed processing and the rules of law and the professional rules and security measures that apply in the country in question.
Countries that have implemented Directive 95/46/EC are deemed to fulfil the requirement with regard to an adequate level of protection. These include the 28 EU countries and the three EEA member countries (Norway, Liechtenstein and Iceland).
Furthermore, the European Commission has determined, through a series of Commission decisions, that a number of countries fulfil the abovementioned requirement. At the time of the publication of this guide, these countries include Andorra, Argentina, Canada (commercial organisations), the Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Where a Norwegian entity wishes to transfer personal data to a receiving party in the United States, such transfer is allowable where the receiving party is certified under the EU-U.S. Privacy Shield Framework, cf. https://www.commerce.gov/tags/eu-us-privacy-shield for a complete list of all certified entities.
Except as provided above, the transfer of personal data overseas usually entails an application to the Norwegian Data Protection Authority, providing safeguards for the protection of the rights of the data subject concerned. Depending on the situation, the transferring party may choose to utilise the EU Model Contracts for the transfer of personal data to third countries. By using the Model Contracts for the transfer of personal data to a data processor, the transferring party need only to notify the Data Protection Authority of the transfer itself.
Where the transfer is between a group of companies, the transferring party may choose to transfer the personal data under Binding Corporate Rules (BCR). While not mentioned in the Directive 95/46/EC nor the Personal Data Act, BCR is usually accepted where they provide sufficient safeguards for the protection of the rights of the data subject concerned. The Data Protection Authority, as well as at least one other Data Protection Authority within the European Economic Area, must approve the BCR prior to it being used as basis for the transfer of personal data.
In accordance with Section 30 of the Act, personal data may also be transferred to countries that do not ensure an adequate level of protection if, inter alia, the data subject has consented to the transfer or the transfer is necessary in order to establish, exercise or defend a legal claim.
The Data Protection Authority may allow the transfer of personal data even if the aforementioned requirement are not fulfilled, where the data controller provides adequate safeguards with respect to the protection of the rights of the data subject. The Data Protection Authority may stipulate requirements for the transfer.
Personal data must not be transferred to foreign countries without the data subject's explict consent. However, personal data can be transferred outside Turkey without the consent of the data subject if any of the seven grounds referred to in Question 8 exists and if either:
- There is an adequate level of data protection in the foreign country or
- The data controllers in Turkey and the receiving country undertake that the data will be protected in writing, and the approval of the Data Protection Authority is obtained.
The list of countries which provide adequate level of data protection has not yet been published by the DPA as of 20 July 2017.