Artikkel 45
Transfers on the basis of an adequacy decision

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 45 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 45 keyboard_arrow_up

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.

(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (12) as established under this Regulation, to the European Parliament and to the Council.

(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.

(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

(116) When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.

Vis direktivets fortaletekst relatert til art. 45 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 45 keyboard_arrow_up

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

GDPR

The principle of adequacy is maintained by the Regulation in Article 45, but it is nevertheless amended: the Commission is now the only body to find whether the third country, territory, or one or several areas identified in that third country or international organization in question provide an adequate level of protection.

In addition to those already contained in the Directive, Article 45 (2) of the Regulations sets out some criteria for assessing the level of adequacy: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral ( including concerning public security, defence, national security and criminal law), the data protection rules and security measures, including rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization, etc. (a));

In accordance with the case-law of the Union, the Regulation also introduces as a criterion the existence and effective functioning of an independent supervisory authority with such powers of sanction, of assistance and advice to the attention of the data subjects in the exercise of their rights (b).

The adequacy of the country of destination also involves reviewing the international commitments on the protection of the personal data taken by the third country or the international organization concerned, as well as its participation in multilateral or regional systems in particular for the protection of personal data (c).

Initially, the new implemented procedure envisaged consultation with the European Data Protection Board on the assessment of the adequacy of the level of protection provided by a third country or an international organization. However, this provision was not maintained in the final version of the Regulation. 

So, the European Commission is only competent body to determine, by means of a decision taken in accordance with article 93 (2), the adequacy of the level of protection in a third country, but also of an international organization, of a territory or one or different sectors of a third country (paragraph 1 and paragraph 3).

The Commission decision on adequacy must indicate its territorial and sectoral scope, the competent supervisory authority (if any), and determine a procedure for periodic review, at least every 4 years, taking account of the relevant developments in the third country, the international organization, or territory. The Commission is also required to assess on this basis of the decisions adopted on the basis of this provision or Article 25, paragraph 4, of the Directive.

The Commission may also revoke, modify or suspend a decision on adequacy if the third country, territory or international organization no longer provides an adequate level of protection but not retroactively, in compliance with the procedure of the Board set out in Article 93 (2) of the Regulation. In case of extreme emergency, the decision repealing, amending or suspending a decision can however be taken in accordance with article 93 (3) in accordance with an accelerated procedure (paragraph 5). It should be noted that the Commission can no longer - as provided for in the Directive (Art. 25 (4)) - find that a third country does not ensure a level of protection outside a positive earlier decision.

In the event of a decision of inadequacy, the Commission shall enter into consultations with the third country or international organization with a view to remedying this situation (paragraph 6).

In the absence of a decision to the contrary, the decisions on adequacy by the Commission taken in accordance with the Directive remain valid until their modification, replacement or their repeal by a decision of the Commission adopted pursuant to paragraph 3.

As we will see below, Articles 46 to 49 allow, under certain conditions, the transfer data to a third country in the absence of a decision on adequacy (see the comments to Articles 46 to 49), especially when the controller or the processor provides appropriate safeguards to meet the shortfall in the level of protection of the country of destination of the personal data.

Paragraph 7 of Article 45 states that a decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organization in question.

The Commission shall publish a list of the third countries, territories and specified sectors within a third country and international organizations for which it has decided that an adequate level of protection is or is no longer ensured.

Direktivet

As to the transfer of personal data, Article 25 of the Directive set out the principle of adequacy that a transfer of personal data to a country outside of the European Union cannot take place unless the country receiving the data ensures an adequate level of protection.

The assessment of the level of protection of the data recipient country was based on a set of factors, contained in Article 25 of the Directive as guidance. The assessment was therefore supposed to take into account all the circumstances relating to the transfer, for example, the nature of the data, the purpose and duration of the processing. It should be noted that, according to the CJEU, the independence of the third country of the supervisory authority must also be guaranteed (CJEU, 9 March 2010, C-518/7).

In this regard, it should be noted the major role played by the Article 29 Working Party in its assessment of the notion of adequate protection through various work documents completed (see in particular WP4 WP7, WP, WP 74, 12 WP 114).

The Directive also provided for mechanisms for assessment of the adequacy both at the Community level and at national level. At the community level, paragraphs 4 and 6 of the Directive vested in the Commission the power to determine the third countries which provide a level of personal data protection, in accordance with the procedure laid down in Article 31 (2) or not. According to this procedure, a representative of the Commission submitted a draft measure to take for an opinion to a Committee of representatives of the Member States, chaired by a representative of the Commission. It was the responsibility of the Commission then to set out directly applicable measures that are consistent with the view of the Committee. If this was not the case, the Commission could delay the application of these measures and the final decision should be made by the Council acting by qualified majority (see Article 31 (2) of the Directive).

The Member States had to comply with the decision of the Commission: in the case of a decision on adequacy (Art. 25 (6)), the latter should take the necessary measures and in the case of a decision of inadequacy, they had to prevent the transfers to the third countries in question (Art. 25 (4)). The Commission was then charged to enter into negotiations with the country in question to remedy this situation (Article 25 (5)).

We should remember that the Commission decision of 26 July 2000 adopting the "Safe Harbor Act" supposed to provide a framework for the transfers between the EU and the United States and comprising a series of principles for the protection of personal data has been invalidated by the Court of Justice of the European Union (CJEU, judgment of 6 October 2015, C-362/14). Notably, the Court held that the "security sphere" scheme, authorizing the interference by the US authorities in the fundamental rights of individuals, not covered by rules limiting such interference, is contrary to the Charter of Fundamental Rights of the Union.

Utfordringer

The difficulties here are less legal than political.

It is probably wise to no longer let the states decide on the adequacy of the level of protection in a third country. The exclusive competence recognized to the Commission will ensure greater legal security. In the absence of a decision, it seems that the prohibition of transfer must prevail, except in application of Articles 46 et seq.

Let’s note that in doing so, the controller or the processor can no longer assess this adequacy. In the absence of a decision, they will be automatically required to cover the transfer outside the EU by one of the rules provided for in Articles 46 et seq.

Forordning
1e 2e

Art. 45

1.   A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2.   When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3.   The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4.   The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5.   The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6.   The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7.   A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

8.   The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9.   Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

1. forslag close

Art. 41

1.           A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.

2.           When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:

(a)     the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;

(b)     the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and

(c)     the international commitments the third country or international organisation in question has entered into.

3.           The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

4.           The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.

5.           The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).

6.           Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

7.           The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.

8.           Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission.

2. forslag close

Art. 41

1. A transfer of personal data to (...) a third country or an international organisation may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation (...), both general and sectoral, data protection rules and security measures, including rules for onward transfer of personal data to another third country or international organisation, which are complied with in that third country or international organisation, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are being transferred (...);

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules including adequate sanctioning powers for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States;

(c) the international commitments the third country or international organisation concerned has entered into, or other (...) obligations arising from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

2a. The European Data Protection Board shall give the Commission an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country or the territory or the international organization or the specified sector no longer ensures an adequate level of protection.

3. The Commission, after assessing the adequacy of the level of protection, may decide that a third country, or a territory or one or more specified sectors within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. (...).

The implementing act shall specify its territorial and sectoral application and, where applicable, identify the (independent) supervisory authority(ies) mentioned in point (b) of paragraph 2. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 87(2).

3a. Decisions adopted by the Commission on the basis of Article 25(6) (...) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5.

4. (...)

4a. The Commission shall monitor the functioning of decisions adopted pursuant to paragraph 3 and decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.

5. The Commission may decide that a third country, or a territory or a specified sector within that third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 and may, where necessary, repeal, amend or suspend such decision without retro-active effect. The implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) or, in cases of extreme urgency (...), in accordance with the procedure referred to in Article 87(3). (...)

5a. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the Decision made pursuant to paragraph 5.

6. A decision pursuant to paragraph 5 is without prejudice to transfers of personal data to the third country, or the territory or specified sector within that third country, or the international organisation in question pursuant to Articles 42 to 44.(...)

7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and specified sectors within a third country and international organisations in respect of which decisions have been taken pursuant to paragraphs 3, 3a and 5.

8. (...)

Direktiv close

Art. 25

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission's decision.

Art. 45

Overføringer på grunnlag av en beslutning om tilstrekkelig beskyttelsesnivå

1. Personopplysninger kan overføres til en tredjestat eller en internasjonal organisasjon når Kommisjonen har fastslått at tredjestaten, et territorium eller en eller flere angitte sektorer i nevnte tredjestat eller den aktuelle internasjonale organisasjonen sikrer et tilstrekkelig beskyttelsesnivå. En slik overføring skal ikke kreve en særlig godkjenning.

2. Ved vurderingen av om beskyttelsesnivå er tilstrekkelig skal Kommisjonen særlig ta hensyn til det følgende:

a) prinsippet om rettsstaten, respekt for menneskerettighetene og grunnleggende friheter, relevant lovgivning, både generell og sektorbestemt, herunder om offentlig sikkerhet, forsvar, nasjonal sikkerhet og strafferett og offentlige myndigheters tilgang til personopplysninger samt gjennomføring av nevnte lovgivning, regler om vern av personopplysninger, regler om yrkesutøvelse og sikkerhetstiltak, herunder regler om videreoverføring av personopplysninger til en annen tredjestat eller internasjonal organisasjon som gjelder i nevnte stat eller internasjonale organisasjon, rettspraksis samt effektive og håndhevbare rettigheter for de registrerte og rett til effektiv administrativ og rettslig prøving for de registrerte hvis personopplysninger overføres,

b) om det finnes en eller flere velfungerende, uavhengige tilsynsmyndigheter i tredjestaten eller som en internasjonal organisasjon er underlagt, med ansvar for å sikre og håndheve at reglene for vern av personopplysninger overholdes, herunder tilstrekkelig håndhevingsmyndighet, for å bistå og gi råd til de registrerte når de utøver sine rettigheter, og for samarbeid med tilsynsmyndighetene i medlemsstatene, og

c) de internasjonale forpliktelsene som den berørte tredjestaten eller den internasjonale organisasjonen har påtatt seg, eller andre forpliktelser som følger av rettslig bindende konvensjoner eller instrumenter og av tredjestatens eller organisasjonens deltaking i multilaterale eller regionale systemer, særlig i forbindelse med vern av personopplysninger.

3. Etter å ha vurdert om beskyttelsesnivået er tilstrekkelig, kan Kommisjonen ved hjelp av gjennomføringsrettsakter beslutte at en tredjestat, et territorium eller en eller flere angitte sektorer i en tredjestat eller en internasjonal organisasjon sikrer et tilstrekkelig beskyttelsesnivå i henhold til nr. 2 i denne artikkel. I gjennomføringsrettsaktene skal det fastsettes en mekanisme for regelmessig gjennomgåelse, som skal foretas minst hvert fjerde år, der det skal tas hensyn til all relevant utvikling i tredjestaten eller den internasjonale organisasjonen. I gjennomføringsrettsakten skal dens geografiske og sektorvise virkeområde angis samt, dersom det er relevant, den eller de tilsynsmyndigheter som er nevnt i nr. 2 bokstav b) i denne artikkel. Gjennomføringsrettsakten skal vedtas i samsvar med undersøkelsesprosedyren nevnt i artikkel 93 nr. 2.

4. Kommisjonen skal fortløpende overvåke utviklingen i tredjestater og internasjonale organisasjoner som kan påvirke virkemåten til beslutninger truffet i henhold til nr. 3 i denne artikkel samt beslutninger truffet på grunnlag av artikkel 25 nr. 6 i direktiv 95/46/EF.

5. Når tilgjengelig informasjon, særlig etter gjennomgåelsen nevnt i nr. 3 i denne artikkel, viser at en tredjestat, et territorium eller en eller flere angitte sektorer i en tredjestat eller en internasjonal organisasjon ikke lenger sikrer et tilstrekkelig beskyttelsesnivå i henhold til nr. 2 i denne artikkel, skal Kommisjonen i det omfang som er nødvendig, oppheve, endre eller midlertidig oppheve beslutningen nevnt i nr. 3 i denne artikkel ved hjelp av gjennomføringsrettsakter uten tilbakevirkende kraft. Disse gjennomføringsrettsaktene skal vedtas i samsvar med undersøkelsesprosedyren nevnt i artikkel 93 nr. 2.

I behørig begrunnede, tvingende hastetilfeller skal Kommisjonen vedta gjennomføringsrettsakter med umiddelbar virkning i samsvar med prosedyren nevnt i artikkel 93 nr. 3.

6. Kommisjonen skal innlede samråd med tredjestaten eller den internasjonale organisasjonen med henblikk på å avhjelpe situasjonen som har gitt opphav til beslutningen truffet i henhold til nr. 5.

7. En beslutning i henhold til nr. 5 i denne artikkel berører ikke overføringer av personopplysninger til tredjestaten, et territorium eller en eller flere angitte sektorer i nevnte tredjestat eller den aktuelle internasjonale organisasjonen som utføres i henhold til artikkel 46–49.

8. Kommisjonen skal i Den europeiske unions tidende og på sitt nettsted offentliggjøre en liste over tredjestatene, territoriene og de angitte sektorene i en tredjestat samt internasjonale organisasjoner som den har fastslått ikke eller ikke lenger sikrer et tilstrekkelig beskyttelsesnivå.

9. Beslutninger truffet av Kommisjonen på grunnlag av artikkel 25 nr. 6 i direktiv 95/46/EF skal fortsette å gjelde fram til de endres, erstattes eller oppheves ved en kommisjonsbeslutning truffet i samsvar med nr. 3 eller 5 i denne artikkel.

Gamle loven close

Pol. § 29 Grunnleggende vilkår

Personopplysninger kan bare overføres til stater som sikrer en forsvarlig behandling av opplysningene. Stater som har gjennomført direktiv 95/46/EF om beskyttelse av fysiske personer i forbindelse med behandling av personopplysninger og om fri utveksling av slike opplysninger, oppfyller kravet til forsvarlig behandling.

I vurderingen av om behandlingen sikres på forsvarlig måte, skal det bl.a. legges vekt på opplysningenes art, den planlagte behandlingens formål og varighet samt de rettsregler, regler for god forretningsskikk og sikkerhetstiltak som gjelder i vedkommende stat. Det skal også legges vekt på om staten har tiltrådt Europarådets konvensjon 28. januar 1981 nr. 108 om personvern i forbindelse med elektronisk behandling av personopplysninger.

Pol. § 30 Unntak

Personopplysninger kan også overføres til stater som ikke sikrer en forsvarlig behandling av opplysningene dersom

a) den registrerte har samtykket i overføringen,

b) det foreligger plikt til å overføre opplysningene etter folkerettslig avtale eller som følge av medlemskap i internasjonal organisasjon,

c) overføringen er nødvendig for å oppfylle en avtale med den registrerte, eller for å utføre gjøremål etter den registrertes ønske før en slik avtale inngås,

d) overføringen er nødvendig for å inngå eller oppfylle en avtale med en tredjeperson i den registrertes3 interesse,

e) overføringen er nødvendig for å vareta den registrertes3 vitale interesser,

f) overføringen er nødvendig for å fastsette, gjøre gjeldende eller forsvare et rettskrav,

g) overføringen er nødvendig eller følger av lov for å beskytte en viktig samfunnsinteresse, eller

h) det er fastsatt i lov at det er adgang til å kreve opplysninger fra et offentlig register.

Datatilsynet6 kan tillate overføring selv om vilkårene i første ledd ikke er oppfylt dersom den behandlingsansvarlige7 gir tilstrekkelige garantier for vern av den registrertes3 rettigheter. Datatilsynet kan sette vilkår for overføringen.

Kongen kan gi forskrift om overføring av personopplysninger til utlandet, herunder om å stanse eller begrense overføring til bestemte stater som ikke tilfredsstiller kravene i § 29.

Pol. forskriften § 6-1 EU-kommisjonens beslutninger om beskyttelsesnivået i tredjeland

Kommisjonens beslutninger etter direktiv 95/46/EF artikkel 25 og 26, jf. 31 gjelder også for Norge i samsvar med EØS-komiteens beslutning nr. 83/1999 (av 25. juni 1999 om endring av EØS-avtalens protokoll 37 og vedlegg XI), med mindre reservasjonsadgangen er benyttet.

Datatilsynet skal sørge for at beslutningene etterleves.

Pol. forskriften § 6-2 Datatilsynets vurdering av beskyttelsesnivået i tredjeland

Dersom Datatilsynet kommer til at et tredjeland ikke har et tilfredsstillende beskyttelsesnivå ved behandling av personopplysninger, skal Datatilsynet gi melding til EU-kommisjonen og de øvrige medlemsstater om sin beslutning.

Dersom Datatilsynet, etter en konkret vurdering i henhold til direktiv 95/46/EF artikkel 26 nr. 2, allikevel tillater overføring av personopplysninger til et tredjeland som ikke sikrer et tilfredsstillende beskyttelsesnivå i henhold til direktiv 95/46/EF artikkel 25 nr. 2, skal Datatilsynet gi melding til EU-kommisjonen og øvrige medlemsstater om sin beslutning.

Dersom Kommisjonen eller andre medlemsstater har innsigelser mot Datatilsynets beslutninger i henhold til andre ledd, og Kommisjonen treffer tiltak, skal Datatilsynet sørge for at beslutningen etterleves.

Italy close

Artt. 44-50 D.Lgs. 196/2003 - Other Permitted Data Transfers 

1. The transfer of processed personal data to a non-EU Member State shall also be permitted if it is authorised by the Garante on the basis of adequate safeguards for data subjects’ rights

a) as determined by the Garante also in connection with contractual safeguards, or else by means of rules of conduct as in force within the framework of companies all belonging to the same group, whereby a data subject may claim his/her rights in the State’s territory as set forth by this Code also with regard to non-compliance with the aforementioned safeguards; or

b) as determined via the decisions referred to in Articles 25(6) and 26(4) of Directive 95/46/EC of the European Parliament and of the Council, of 24 October 1995, through which the European Commission may find that a non-EU Member State affords an adequate level of protection, or else that certain contractual clauses afford sufficient safeguards.

close