Article 44
General principle for transfers
Regulation
Art. 44 Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. |
Directive
No specific provision |
Spain
Article 33.- General rule.- Organic Law 15/1999 on the Protection of Personal Data.- 1. There may be no temporary or permanent transfers of personal data which have been processed or which were collected for the purpose of such processing to countries which do not provide a level of protection comparable to that provided by this Law, except where, in addition to complying with this Law, prior authorisation is obtained from the Director of the Data Protection Agency, who may grant it only if adequate guarantees are obtained. 2. The adequacy of the level of protection afforded by the country of destination shall be assessed by the Data Protection Agency in the light of all the circumstances surrounding the data transfer or category of data transfer. Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question, the content of the reports by the Commission of the European Union, and the professional rules and security measures in force in those countries.
Article 67.- Adequate level of protection resolved by the Spanish Data Protection Agency. - Royal Decree 1720/2007 Implementing Organic Law 15/1999.- 1. Authorisation of the Director of the Spanish Data Protection Agency shall not be required for an international transfer of data when the rules applicable to the Country where the importer is located offer such adequate level of protection in the opinion of the Director of the Spanish Data Protection Agency. The adequate nature of the level of protection offered by the country receiving the data shall be assessed bearing in mind all the circumstances of the transfer or category of the data transfer. In particular, the nature of the data, the purpose and duration of the processing or processes planned, the country of origin and the country of final destination, the general or sectoral rules of law valid in the third country in question, the content of the reports of the European Commission, as well as the professional rules and security measures in force in such countries shall all be taken into account. The decisions of the Director of the Spanish Data Protection Agency resolving that a specific country provides an adequate level of protection of data shall be published in the Official Spanish Gazette. 2. The Director of the Spanish Data Protection Agency shall resolve the publication of the list of countries where the level of protection has been deemed comparable pursuant to the provisions of the previous subsection. This list shall be published and updated by computerised or telematic means.
Article 68.- Adequate level of protection declared by decision of the European Comission.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.- Authorisation of the Director of the Spanish Data Protection Agency shall not be required for an international transfer of data where the importer is a person or entity, public or private, located in the territory of a Country where the European Commission has declared the existence of an adequate level of protection. |