According to the GDPR provisions, the transfer of personal data to countries outside the EU or international organisations is permitted only under the requirement that their legal framework satisfies an adequate level of data protection. Our Blog Editor Vasiliki Antoniadou explains WP29 Guidelines on adequacy of data protection by third countries under GDPR.
The existence or not of adequacy of the legal rules and their effectiveness is decided by the EU Commission in a binding manner after receiving the advise of the European Data Protection Board (EDPB).
Adequate level of data protection
The Article 29 Working Party clarifies that it is not required that the EU legislation is copied point by point, but rather that the level of data protection is essentially equivalent to that introduced in the EU. In particular, in order for the data transfer to be lawful the third country or international organisation should implement specific and enforceable provisions that conform with the core data protection principles present in the GDPR and the EU Charter of Fundamental rights. WP29 Guidelines on adequacy of data protection by third countries are therefore based on these principles rather than exact rules.
General data protection principles
The core data protection principles in the EU legal system that are fundamental for an adequate level of data protection have been identified by WP29 Guidelines on adequacy of data protection by third countries as below:
- Basic data protection concepts such as “personal data”, “data controller”, “data processor”, “sensitive data”.
- Legitimate grounds for lawful and fair data processing such as provisions in national law, the consent of the data subject or performance of a contract.
- The purpose limitation principle according to which data processing is conducted for a specific purpose and data’s use should be compatible with that purpose.
- The data quality principle, which guaranties accurate and up to date data, as well as the proportionality principle, pursuant to which the data should be relevant and non-excessive to the purpose of processing.
- The data retention principle, that stipulates that data should not be kept longer than necessary for the purposes of processing.
- The security and confidentiality principle, that requires appropriate technical or organisational measures in order to ensure protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
- The transparency principle, according to which the data subjects should be informed in a clear and transparent about the particulars of the data processing such as its purpose, the identity of the controller and the rights available to them.
- The right of access, rectification, erasure and objection, which enables the individual to obtain relevant information, correct or erase inaccurate data and object on legitimate grounds to the data processing.
- Restrictions on onward transfers, meaning that further data transfers should not be permitted unless the further recipient fulfils the criterium of the adequate level of data protection.
It should be noted that additional content principles must apply on special categories of data, direct marketing and automated decision making and profiling.