General principle for transfers
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Article 44 is intended to state the general principle governing data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided in Chapter V.
The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific “right to pursue”: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.
The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.
The Directive included no similar provision.
The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications.
Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to obtain an advantage.
Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.
The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data which would be at the origin of the transfer either.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
1st proposal close
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
2nd proposal close
No specific provision
No specific provision
In force until May 25, 2018:
Transmission and Committing of Data not Subject to Licensing (Prior Approval)
§ 12 DSG 2000
(1) The transmission and committing of data to recipients in signatory states of the European economic area is not subject to any restrictions in terms of § 13. This does not apply to data exchange between public sector controllers in fields that are not subject to the law of the European Union.
(2) No authorisation pursuant to § 13 shall be required for data exchange with recipients in third countries with an adequate level of data protection. The countries that have an adequate level of data protection shall be enumerated in an ordinance of the Federal Chancellor in accordance with § 55 sub-para. 1. The decisive consideration as to the adequacy of the protection shall be the implementation of the principles of § 6 para. 1 in the foreign legal system as well as the existence of effective guarantees for their enforcement.
(3) Furthermore, data exchange shall not require authorisation if
1. the data have been published legitimately in Austria or
2. data are transferred or committed that are only indirectly personal to the recipient or
3. the transmission or committing is authorized by regulations that are equivalent to a statute in the Austrian legal system and are immediately applicable or
4. data from a data application for private purposes (§ 45) or for journalistic purposes (§ 48) is transmitted or
5. the data subject has without any doubt given his consent to the transmission or committing or
6. a contract between the controller and the data subject or a third party that has been concluded clearly in the interest of the data subject cannot be fulfilled except by the transmission of data or
7. the transmission is necessary for the establishment, exercise or defence of legal claims before a foreign authority and the data were collected legitimately or
8. the transmission or committing is expressly named in a standard ordinance (§ 17 para. 2 sub-para. 6) or model ordinance (§ 19 para. 2) or
9. the data exchange is with Austrian governmental missions and offices in foreign countries or
10. transmissions or committing are made from a data application that is exempted from notification according to § 17 para. 3.
(4) If the transmission or committing in cases not covered by the preceding paragraphs is necessary
1. to safeguard an important public interest or
2. to safeguard a vital interest of a person
and of such urgency that the authorisation of the Data Protection Authority required according to § 13 cannot be obtained in time without risk to the above-mentioned interests, it may be performed without a permit, but must be notified to the Data Protection Authority immediately.
(5) The legality of a data application in Austria according to § 7 is a prerequisite for every transmission or committing. Furthermore, committing requires the written promise of the processor abroad to the domestic controller – or in the case of § 13 para. 5 to the domestic processor – that he shall respect the obligations of a processor according to § 11 para 1. This is not applicable if the processing abroad is provided for in regulations that are equivalent to a law in the Austrian legal system and are immediately applicable.
Abroad Transmission and Committing of Data Subject to Licensing (Prior Approval)
§ 13 DSG 2000
(1) Insofar as a case of data exchange is not exempted from authorisation according to § 12, the controller has to apply for a permit by the Data Protection Authority (§ 35) before the transmission or committing. The Data Protection Authority can issue the permit subject to conditions and obligations.
(2) The permit shall be given, taking into consideration the promulgations pursuant to § 55 sub-para. 2, if the requirements of § 12 para. 5 are met, and despite the lack of an adequate general level of data protection in the recipient state
1. an adequate level of data protection exists for the transmission or committing outlined in the application for the permit in this specific case; this is then to be judged considering all circumstances relevant to the use of data, such as the type of data used, the purpose and duration of use, the country of origin and final destination as well as the general and sectoral legal provisions, professional rules and security standards applying in the third country; or
2. the controller can satisfactorily demonstrate that the interests in secrecy deserving protection of the data subject of the planned data exchange will be respected outside of Austria. In particular, contractual guarantees by the recipient as well as unilateral declarations by the applicant (§ 19 para 2) in the application for permit about the more detailed circumstances of the use of data abroad are significant for the decision. Unilateral declarations by the applicant become legally binding for him upon registration by the Data Protection Authority.
(3) In the case of data applications subject to notification, the Data Protection Authority shall put a copy of each ruling authorising the transmission or committing of data on the notification file and enter the fact that authorisation has been granted into the Data Processing Register (§ 16).
(4) Deviating from para. 1, a domestic processor can apply for a permit if, in order to fulfil his contractual duties vis-á-vis multiple controllers, he wishes to enlist the service of a specific processor outside of Austria. The actual committing shall only be performed with the consent of the controller. The controller shall report to the Data Protection Authority from which of his data applications subject to notification the authorised committing to the processor shall take place; this is to be entered into the Data Processing Register.
(5) The transmission of data to representations of foreign governments or intergovernmental institutions in Austria shall be treated as data exchange with regard to the requirement for authorisation according to para. 1.
(6) If the Federal Chancellor has decreed by ordinance that, despite the lack of an adequate general level of data protection in the recipient state, the requirements according to para. 2 sub-para. 1 are met for specific categories of data exchange with this recipient state, the obligation to obtain a permit is replaced by an obligation to notify the Data Protection Authority. The Data Protection Authority shall prohibit the notified data exchange within six weeks after receiving the notification if it is not attributed to one of the categories regulated in the ordinance or if it does not fulfil the requirements according to § 12 para. 5; otherwise the transmission or committing is permitted.