Logo European Date Protection Supervisor
RSS Feed EDPS on Twitter
Home | Sitemap | Legal notice
The EDPS Supervision Consultation Cooperation
  Members & Mission
  Data protection
  Legislation
  Q&A
  Glossary
  Press & News
  Publications
  Events
  Human Resources
  Data Protection Officer
  Contact
  Links
  Legal notice
 
 
02 May 2013

EDPS Supervision and Enforcement activities - watch our video!
30 April 2013

Newsletter 37

30 April 2013

Read our opinion on the Communication from the Commission to the European Parliament and the Council entitled 'Strengthening law enforcement cooperation in the EU: the European Information Exchange Model (EIXM)'
24 April 2013

Read the speech of Giovanni Buttarelli delivered at the conference on "The future of the regulation of personal data in Europe: A French-Italian dialogue" in Paris
18 April 2013

Visit our stand and chat with us at EU Open Day on 4 May!
News
News
 
print Print friendly

9) Transfer of personal data



Can personal data be transferred to someone else?

Transfers of personal data within or between Community institutions or bodies are subject to certain conditions according to Article 7 of Regulation (EC) No 45/2001. For instance, such transfer should be necessary for the legitimate performance of the public tasks involved. These conditions apply in addition to the other criteria for lawful processing.

Similar but often stricter conditions apply to transfers to recipients in the EU and EEA Member States, and especially to recipients in third countries.

May personal data be transferred to recipients in the EU and the EEA (the European Economic Area) Member States?

Transfers to recipients other than Community institutions and bodies which are subject to a national law adopted for the implementation of Directive 95/46/EC (thus governed by the provisions of Article 8 of Regulation 45/2001), such as private companies or national authorities, will in most cases also require that the recipient establishes the need for the transfer - for example if it is necessary for carrying out a task in the public interest.

All EU Member States and the Member States of the EEA (Iceland, Norway and Liechtenstein) apply the provisions of Directive 95/46/EC. These countries thereby respect the principles of protection of personal data as laid down in the Directive.

May personal data be transferred to recipients outside the EU and the EEA?

Transfers of personal data to recipients which are not subject to national law adopted pursuant to Directive 95/46/EC are governed by the stricter provisions of Article 9 of Regulation (EC) No 45/2001. Such a transfer may only take place if an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation, and the data are transferred solely to allow tasks covered by the competence of the controller.

The adequacy of the level of protection by the recipient is evaluated by the European Commission (in co-operation with the Article 29 Working Party).

The effect of a decision of the European Commission that a third country provides adequate protection is that personal data can be transferred from the 27 EU and the three EEA Member States to that third country without any further safeguards. The European Commission provides a list of such countries, as well as model contracts for the transfer of personal data to third countries.

► Commission decision on the adequacy of the protection of personal data in third countries 
► Safe harbour
► Adequacy decision

What are "binding corporate rules"?

Link: Glossary

What is the purpose of "standard contractual clauses"?

Companies and other organisations which are subject to the national laws implementing Directive 95/46 on the protection of personal data may use standard contractual clauses to ensure an "adequate level of protection for personal data", which are to be transferred outside of the EU, the EEA and the countries that provide an adequate level of protection.

The standard contractual clauses provide rules on litigation, auditing requirements, sanctions, as well as on the powers of the National Data Protection Authorities.

The use of standard contractual clauses and binding corporate rules are part of the European Commission’s work for a better implementation of Directive 95/46.

Further information on standard contractual clauses