menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Bulgaria) language
Contact our local member in Bulgaria mail_outline
Visit the website of Dimitrov, Petrov & Co. account_balance

arrow_backPrevious Article
Article 44
Next Articlearrow_forward

General principle for transfers

Official
Texts Guidelines
& Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 44 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 44 keyboard_arrow_up

Key words related to article 44

Show the recitals of the Regulation related to article 44 keyboard_arrow_down Hide the recitals of the Regulation related to article 44 keyboard_arrow_up

(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

Show the recitals of the Directive related to article 44 keyboard_arrow_down Hide the recitals of the Directive related to article 44 keyboard_arrow_up

No specific provision

The GDPR

Article 44 is intended to state the general principle governing  data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided  in Chapter V.

The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific “right to pursue”: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.

The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.

The Directive

The Directive included no similar provision.

Potential issues

The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications.

Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to obtain an advantage.

Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.

The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data which would be at the origin of the transfer either.

arrow_back Previous ArticleArticle 44Next Article arrow_forward
arrow_back Previous ArticleArticle 44 Next Article arrow_forward
arrow_back Previous ArticleArticle 44 Next Article arrow_forward
Regulation
1e 2e

Art. 44

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

1st proposal close

Art. 40

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
2nd proposal close

No specific provision
Directive close

No specific provision
Bulgaria
compare_arrows

Personal Data Protection Act

Article 36

(1) The provision of personal data by the controller to foreign natural or legal persons or to foreign government authorities is allowed upon approval by the Commission for Personal Data Protection, if the legislation of the recipient country guarantees a level of data protection that is better or equivalent to that provided by this Act.

(2) In the transfer of personal data in cases referred to in Para 1, the requirements of this Act apply.

 

Article 36a (Last Amendment - SG No. 81/2011)

(1) The provision of personal data in the state - member of the Union, and in another state - member of the European Economic Area is done freely, in compliance with the requirements of this Act.

(2) The provision of personal data to a third country is allowed only if such third country ensures an adequate level of personal data protection within its territory.

[…]
arrow_back Previous ArticleArticle 44 Next Article arrow_forward
close

2016 - www.itiplaw.eu.