Personal data transfer to third countries
Is approval by Inspector General for Personal Data Protection necessary?
Legal alert (3/2015)
Along with re-defining of the role of Information Security Administrator, whose appointment must be considered by each entrepreneur, amendments to the Act on personal data protection coming into force in January mean substantial changes regarding transfer of personal data to third countries.
Along with re-defining of the role of Information Security Administrator, whose appointment must be considered by each entrepreneur, amendments to the Data Protection Act coming into force in January mean substantial changes regarding transfer of personal data to third countries.
Until the end of 2014, each time personal data were transferred from Poland to a non-EEA country (e.g. the U.S.), an entrepreneur was obliged to obtain an approval of the Inspector General for Personal Data Protection (GIODO) to perform the transfer.
Obtaining such an approval was necessary also when an administrator and a party receiving the data concluded an agreement containing standard clauses which, pursuant to a decision of the European Commission, bear characteristics of a legal instrument protecting personal rights and freedom to an appropriate extent.
The amendments relieve data administrators who transfer personal data using the standard contractual clauses of the obligation to request GIODO's approval of the data transfer.
Thus, GIODO will not be obliged to re-examine the principles of transfer and protection of personal data formerly approved by the European Commission under standard contractual clauses.
Excluding the transfer of data based on standard contractual clauses from GIODO’s control does not relieve administrators of other personal data protection requirements, nor does it eliminate the necessity to ensure that the processing of personal data by a foreign party is legal, if the party is to act as an administrator of these data.
Additionally, if an administrator and a receiving party decide to modify the standard contractual clauses, GIODO's approval will be necessary to perform a data transfer.
The standard contractual clauses are available at:
- for agreements regarding data transfer between administrators;
- alternative version of agreements regarding data transfer between administrators;
- for agreements regarding data transfers from an administrator to a processing party (as defined in Article 31 of the Act on personal data protection).
The amendments allow GIODO approving so-called binding corporate rules, i.e. internal principles regarding personal data protection adopted by international corporations.
Adopting of such rules to be followed by the entire corporation shall mean that all data administrators working for this capital group can transfer personal data among themselves without GIODO’s approval, provided they comply with the rules.
Since the solution has been known and applied in other EU member states, according to the Act, prior to approving the binding corporate rules, GIODO may consult competent data protection authorities in the countries of residence of businesses belonging to a given group. If the binding corporate rules have been already approved by data protection authorities in another country, GIODO may consider the approval, which may facilitate the acceptance of the rules already accepted by another member state in Poland.