menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Austria) language
Contact our local member in Austria mail_outline
Visit the website of Geistwert account_balance

arrow_backPrevious Article
Article 44
Next Articlearrow_forward

General principle for transfers

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 44 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 44 keyboard_arrow_up

Key words related to article 44

Show the recitals of the Regulation related to article 44 keyboard_arrow_down Hide the recitals of the Regulation related to article 44 keyboard_arrow_up

(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

Show the recitals of the Directive related to article 44 keyboard_arrow_down Hide the recitals of the Directive related to article 44 keyboard_arrow_up

No specific provision

The GDPR

Article 44 is intended to state the general principle governing  data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided  in Chapter V.

The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific “right to pursue”: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.

The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.

The Directive

The Directive included no similar provision.

Potential issues

The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications.

Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to obtain an advantage.

Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.

The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data which would be at the origin of the transfer either.

arrow_back Previous ArticleArticle 44Next Article arrow_forward
arrow_back Previous ArticleArticle 44 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (14 February 2023)

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

1) A controller or a processor (“exporter”) is subject to the GDPR for the given processing.

2) The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).

3) The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

Link

 

Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

Link

Retour au sommaire
arrow_back Previous Article Article 44 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Lindqvist

1. The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes 'the processing of personal data wholly or partly by automatic means' within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3. Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4. There is no 'transfer [of data] to a third country' within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5. The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-311/18 (16 July 2020) - Facebook Ireland et Schrems

1.   Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.

2.   Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

3.   Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

4.   Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.

5.   Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Opinion of Advocate general

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 44 Next Article arrow_forward
Regulation
1e 2e

Art. 44

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

1st proposal close

Art. 40

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
2nd proposal close

No specific provision
Directive close

No specific provision
Austria
compare_arrows

In force until May 25, 2018:

Transmission and Committing of Data not Subject to Licensing (Prior Approval)

§ 12 DSG 2000

(1) The transmission and committing of data to recipients in signatory states of the European economic area is not subject to any restrictions in terms of § 13. This does not apply to data exchange between public sector controllers in fields that are not subject to the law of the European Union.

(2) No authorisation pursuant to § 13 shall be required for data exchange with recipients in third countries with an adequate level of data protection. The countries that have an adequate level of data protection shall be enumerated in an ordinance of the Federal Chancellor in accordance with § 55 sub-para. 1. The decisive consideration as to the adequacy of the protection shall be the implementation of the principles of § 6 para. 1 in the foreign legal system as well as the existence of effective guarantees for their enforcement.

(3) Furthermore, data exchange shall not require authorisation if

1. the data have been published legitimately in Austria or

2. data are transferred or committed that are only indirectly personal to the recipient or

3. the transmission or committing is authorized by regulations that are equivalent to a statute in the Austrian legal system and are immediately applicable or

4. data from a data application for private purposes (§ 45) or for journalistic purposes (§ 48) is transmitted or

5. the data subject has without any doubt given his consent to the transmission or committing or

6. a contract between the controller and the data subject or a third party that has been concluded clearly in the interest of the data subject cannot be fulfilled except by the transmission of data or

7. the transmission is necessary for the establishment, exercise or defence of legal claims before a foreign authority and the data were collected legitimately or

8. the transmission or committing is expressly named in a standard ordinance (§ 17 para. 2 sub-para. 6) or model ordinance (§ 19 para. 2) or

9. the data exchange is with Austrian governmental missions and offices in foreign countries or

10. transmissions or committing are made from a data application that is exempted from notification according to § 17 para. 3.

(4) If the transmission or committing in cases not covered by the preceding paragraphs is necessary

1. to safeguard an important public interest or

2. to safeguard a vital interest of a person

and of such urgency that the authorisation of the Data Protection Authority required according to § 13 cannot be obtained in time without risk to the above-mentioned interests, it may be performed without a permit, but must be notified to the Data Protection Authority immediately.

(5) The legality of a data application in Austria according to § 7 is a prerequisite for every transmission or committing. Furthermore, committing requires the written promise of the processor abroad to the domestic controller – or in the case of § 13 para. 5 to the domestic processor – that he shall respect the obligations of a processor according to § 11 para 1. This is not applicable if the processing abroad is provided for in regulations that are equivalent to a law in the Austrian legal system and are immediately applicable.

Abroad Transmission and Committing of Data Subject to Licensing​ (Prior Approval)

§ 13 DSG 2000

(1) Insofar as a case of data exchange is not exempted from authorisation according to § 12, the controller has to apply for a permit by the Data Protection Authority (§ 35) before the transmission or committing. The Data Protection Authority can issue the permit subject to conditions and obligations.

(2) The permit shall be given, taking into consideration the promulgations pursuant to § 55 sub-para. 2, if the requirements of § 12 para. 5 are met, and despite the lack of an adequate general level of data protection in the recipient state

1. an adequate level of data protection exists for the transmission or committing outlined in the application for the permit in this specific case; this is then to be judged considering all circumstances relevant to the use of data, such as the type of data used, the purpose and duration of use, the country of origin and final destination as well as the general and sectoral legal provisions, professional rules and security standards applying in the third country; or

2. the controller can satisfactorily demonstrate that the interests in secrecy deserving protection of the data subject of the planned data exchange will be respected outside of Austria. In particular, contractual guarantees by the recipient as well as unilateral declarations by the applicant (§ 19 para 2) in the application for permit about the more detailed circumstances of the use of data abroad are significant for the decision. Unilateral declarations by the applicant become legally binding for him upon registration by the Data Protection Authority.

(3) In the case of data applications subject to notification, the Data Protection Authority shall put a copy of each ruling authorising the transmission or committing of data on the notification file and enter the fact that authorisation has been granted into the Data Processing Register (§ 16).

(4) Deviating from para. 1, a domestic processor can apply for a permit if, in order to fulfil his contractual duties vis-á-vis multiple controllers, he wishes to enlist the service of a specific processor outside of Austria. The actual committing shall only be performed with the consent of the controller. The controller shall report to the Data Protection Authority from which of his data applications subject to notification the authorised committing to the processor shall take place; this is to be entered into the Data Processing Register.

(5) The transmission of data to representations of foreign governments or intergovernmental institutions in Austria shall be treated as data exchange with regard to the requirement for authorisation according to para. 1.

(6) If the Federal Chancellor has decreed by ordinance that, despite the lack of an adequate general level of data protection in the recipient state, the requirements according to para. 2 sub-para. 1 are met for specific categories of data exchange with this recipient state, the obligation to obtain a permit is replaced by an obligation to notify the Data Protection Authority. The Data Protection Authority shall prohibit the notified data exchange within six weeks after receiving the notification if it is not attributed to one of the categories regulated in the ordinance or if it does not fulfil the requirements according to § 12 para. 5; otherwise the transmission or committing is permitted.
arrow_back Previous ArticleArticle 44 Next Article arrow_forward
close

2016 - www.itiplaw.eu.