General principle for transfers
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Article 44 is intended to state the general principle governing data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided in Chapter V.
The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific “right to pursue”: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.
The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.
The Directive included no similar provision.
The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications.
Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to obtain an advantage.
Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.
The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data which would be at the origin of the transfer either.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
1st proposal close
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
2nd proposal close
No specific provision
No specific provision
In force until May 25, 2018:
The Act on Personal Data Protection
1. The transfer of personal data to a third country may take place only, if the country of destination ensures adequate level of personal data protection in its territory,
1a. The adequacy of the level of personal data protection referred to in paragraph 1 shall be evaluated taking into account all the circumstances concerning a data transfer operation, in particular the nature of the data, the purpose and duration of the proposed data processing operations, the country of origin and the country of final destination of the data as well as the legal provisions being in force in a given third country and the security measures and professional rules applied in this country.
2. The provision of paragraph 1 above shall not apply if the transfer of personal data results from an obligation imposed on the data controller by legal provisions or by the provisions of any ratified international agreement which guarantee adequate level of data protection.
3. Nevertheless the controller may transfer the personal data to a third country provided that:
1) the data subject has given his/her written consent,
2) the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject's request,
3) the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and another subject,
4) the transfer is necessary or required by reasons of public interests or for the establishment of legal claims,
5) the transfer is necessary in order to protect the vital interests of the data subject,
6) the transfer relates to data which are publicly available.