Hello. Welcome back to this introduction to T D. P. R.
In this video off talk briefly about data transfers to third countries on within international organizations.
Organizations operating more than one you member states should determine their lead data protection, supervisor authority and document this
the lead authority of the supervisory authority in the state where the main establishment is
the organization's main establishment is the location where the central administration in the U. U. Is or else the location, where decisions about the purpose is a means of processing are taken and implemented.
This is only relevant where organizations carry out cross border processing I, where there are establishments in more than one you member state or there is a single establishment in the year that carries out processing, which is substantially effects individuals in other you states.
In that case, the organization should map out where it makes its most significant decisions about its data processing activities.
This will help to determine the main establishment and therefore the lead supervisory authority.
I'll cover transfers of data to third countries on the next light. There is a specific means of intra organizational data transfer's allowable under GPR.
These are called binding corporate rules.
These have been developed to our multinational corporations, international organizations and groups of companies to make intra organizational transfers of personal data across borders.
They need to be approved by the lead authority of the organization in the year.
They involve creating inter organizational policies, practices, processes and guidelines
that satisfy you Data protection regulations that are typically supported by internal legal agreements, stuff training and auditing.
For organizations that want to pass personal data to processes in third countries,
I eat those outside the European economic area.
The following must apply.
The organization receiving the personal data has provided adequate safeguards. Individual's rights must be enforceable and effective. Legal remedies for individuals must be available following the transfer.
The general principles remembers that any transfer of personal data must provide the data subjects with the same level of protection that they would receive. If the processing occurred within the U on the rules were enforceable on remedies are available should data breaches occur.
Party of 44 states and he transfer a personal data which are undergoing processing or are intended for processing after transfer to 1/3 country or to an international organization shall take place only if subject to the other provisions of this regulation.
The conditions laid down in this chapter are complied with brother controller and process, sir,
including for four transfers. A personal data from third country
or an international organization to another third country
or to another international organization
or provisions in this chapter should be applied in order to ensure that the level of protection of natural persons guaranteed by this regulation is not undermined.
This means that for processing a personal data to be legal,
the protections and rights of data subjects must not be diminished by the transfer of personal data of the third countries.
In addition to the member states of the U in the European economic area, the U. S. Designated some other countries is having adequate levels of personal data protection, meaning that personal data can be transfered to these countries with the usual safeguards.
Currently, as of June 2017
the countries that have been approved by the Commission for data transfers are
Guns E, the Olive Man, Israel,
Jersey, New Zealand, Switzerland and Uruguay.
Countries that had to be added to or taken off these lists. What we published in the official journal of the U
The U S Safe Harbor Agreement, which was the basis for data transfers to the U. S,
was struck down by the Court of Justice of the U in October 2015.
There is a replacement you US River See shield framework in force. But according to the Article 29 Data Protection Working Group,
at least three significant issues that are likely not robust enough to withstand legal scrutiny from the European court
thes relate to deletion of data
collection of massive amounts of data
clarification of a new onwards person mechanism.
Anyone who was full of this course will understand why these are problems.
So in summary, any organization wants to transfer personal data to the U. S. Will need to be clear about its legal basis for doing so and keep up to date with rapidly changing legal landscape in U. U S data privacy relations.
When looking to transfer personal data to countries outside those listed above, the transfers are prohibited unless safeguards are in place.
As described in Article 44 at the start of this slide that general principles at play here are the transfers must provide appropriate safeguards for data subject, enforceable rights and effective legal remedies,
and that these rights must not be undermined by the on the transfer of data.
All three must be in place before processing can begin.
Data transfers are also permitted well where the data subject has given explicit consent
or where it is necessary in the performance of a contract. But the rules around these legal basis for processing has described the video three still apply,
for example, the right to be forgotten and tohave one state of deleted on the removal of consent.
This is a very tricky and changing part of the data protection landscape.
It would be advisable that any decisions you make in this area I made after taking specialist legal advice
as the administrative fines of breeches and data transfers to third countries come in the highest bracket of fines. I 20 million euros, or 4% of global revenues, whichever is larger.
In the next video, we'll be looking at what's new in GDP are and run through a checklist of compliance areas.
In the meantime, thank you for watching