KG LEGAL \ INFO
BLOG

Blog home > IT, NEW TECHNOLOGIES, MEDIA AND COMMUNICATION TECHNOLOGY LAW > Adequate countries and the processing of sensitive data

Adequate countries and the processing of sensitive data

Publication date: November 13, 2024

The European Union, issuing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. of 2016, No. 119, p. 1, as amended), commonly known as the GDPR Regulation, had to face the threats resulting from the effects of globalism. It could not limit the processing of personal data only to the borders of Europe, where the GDPR guaranteed strong protection. It had to create a system that could also provide this protection in third countries outside the old continent.

It did so in Chapter V of the regulation, where a number of solutions were found to facilitate the processing of data in third countries and, on the other hand, ensure a high level of protection. The essence of this solution is the institution of “adequate countries”, i.e. those in which the European Commission has found an adequate level of personal data protection. However, the regulation also contains other solutions for situations when we will not be dealing with an adequate country.

European Data Protection Board

The European Data Protection Board is a special EU body with legal personality established under Article 68 of the GDPR Regulation, whose main objective is to ensure the protection of personal data of citizens of the Member States and to ensure uniform compliance with the provisions of the GDPR Regulation.

In previous years, before the introduction of the GDPR Regulation, the main EU act on the protection of personal data was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ EU. L. of 1995, No. 281, p. 31, as amended). On its basis, a body was established under the name of the “Working Party on the Protection of Individuals with regard to the Processing of Personal Data”, referred to in short as the “Working Party”. However, with the introduction of new regulations, it was also necessary to change the body supervising compliance with the law and protecting data. The GDPR Regulation was very different from Directive 95/46/EC, so it was not possible for the Working Party to continue its operation under the new regulations. It was necessary to establish a new body. The Council began operating on 25 May 2018, approximately 2 years after the adoption of the GDPR Regulation.

The EDPB is composed of a Chair and two Vice-Chairs appointed for a renewable term of 5 years, the Chair of the data protection supervisory authority of each Member State (if there are two authorities in a Member State, they appoint a joint representative) and the European Data Protection Supervisor.

The EDPB is a fully independent body. The representative of the European Commission has the right to participate in the activities and meetings of the EDPB, but has no voting rights.

The main objective of the EDPB is to ensure the consistent application and enforcement of data protection law throughout the European Economic Area. Only if Member States cooperate with each other and maintain consistency in the application of the rules will it be possible to ensure the greatest possible data protection. To this end, the GDPR Regulation in Article 70 has entrusted the EDPB with the competences for a number of activities aimed at ensuring this consistency. The most important of these are:

  • monitoring and ensuring the proper application of this Regulation
  • advising the Commission on matters relating to the protection of personal data in the Union, including any proposed amendments to the GDPR;
  • advising the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for the purposes of binding corporate rules;
  • issuing guidelines, recommendations and identifying best practices on important issues related to the application of the GDPR;
  • encouraging the drawing up of codes of conduct and the establishment of data protection certification mechanisms and quality marks and markings in this area;
  • providing the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or an international organisation, including for the assessment of whether a third country, a territory, one or more specified sectors within that third country or an international organisation no longer ensures an adequate level of protection.
  • issuing opinions on draft decisions submitted by supervisory authorities in accordance with the consistency mechanism;
  • promoting cooperation and effective bilateral and multilateral exchange of information and good practices between supervisory authorities;
  • promoting common training programmes and facilitating staff exchanges between supervisory authorities;
  • maintaining a publicly available electronic register of decisions taken by supervisory authorities and court judgments in cases considered under the coherence mechanism of the Regulation
  • conducting certification of administrators and processors to prove the compliance of their operations with the provisions of the GDPR regulation and maintaining a public register of certified mechanisms.

The EDPB produces an annual public report on data protection in the EU as well as in third countries and international organisations.

Territorial scope of application of the provisions of the GDPR

The European Parliament, when issuing a regulation, directives or other legal acts, addresses them primarily to its bodies and institutions and the Member States. They are bound by their provisions and, moreover, in the case of the Member States, this often involves the obligation to implement these provisions into their national legal systems. The same will be the case with the GDPR regulation, but there will be some modifications in this matter.

The GDPR Regulation will primarily apply to the territories of the countries associated in the European Economic Area, or EEA for short. In addition to the EU member states, it also includes Norway, Iceland, and Liechtenstein. Switzerland is also a member of the EEA, but has not implemented the personal data protection regulations. The GDPR Regulation will therefore apply to more countries than the EU itself.

Secondly, the GDPR Regulation is not only addressed to EEA countries, but also, and perhaps even primarily, to entities originating from these countries. These entities may be state bodies (e.g. administrative bodies), but they will mostly be private entities. The Regulation divides these entities into administrators and processors, but this division is not relevant to the considerations of this article.

The detailed territorial scope of the Regulation can be found in Article 3:

  1. Processing of personal data in connection with the activities of an entity located in the Union, regardless of whether the processing takes place in the Union.
  2. Processing of personal data relating to persons staying in the Union by entities that do not have an organisational unit in the Union, if the processing activities are related to:

a) offering goods or services to such persons in the Union (irrespective of whether the goods or services are paid for)

(b) monitoring their conduct, in so far as such conduct takes place within the Union.

  • Processing of personal data by an entity not established in the Union, but in a place where the law of a Member State applies by virtue of public international law.

From the interpretation of the above article it follows that we may de facto be dealing with two situations:

  1. The entity processing the data and the person whose data is being processed originate from the territory of a Member State (section 1) or from a territory where the law of the Member States applies under public international law (section 3)
  2. The entity processing the data does not come from the EEA, but the person does (paragraph 2), i.e. the so-called transfer of data to third countries

Processing of personal data within the European Economic Area

In the case of situations specified in art. 3 par. 1 and 3, we are dealing with an ordinary situation and in its case we will not apply any special provisions. Therefore, it is sufficient for the entity to meet the general requirements of the GDPR and the legislation of the Member State from which it comes.

The purpose of the regulation is to establish consistency of regulations between countries. Therefore, national laws should not have too different provisions and apply a common interpretation of the regulation.

Moreover, it does not matter whether the entities or persons between whom the data is disposed of come from the same or different member states of the community. Data flow within the European Economic Area is treated in the same way as data transfer within one country. This principle applies to all member states of the European Economic Area. The provisions will apply to all of them to the same extent.

Transfer of personal data to third countries

The territorial scope of the regulation based on art. 3 will not be limited only to situations where both entities and persons come from EEA countries. Paragraph 2 extends this scope also to situations where the entity does not come from the EEA, but the person whose data is being transferred does. Therefore, there is a need to transfer personal data to third countries, i.e. countries that are not members of the EEA. In such cases, special provisions from chapter 5 of the regulation will be put in place. If the entity wants to transfer data to a third country, it will only do so if it meets the requirements of this section.

The purpose of detailed regulations is to ensure that personal data is adequately protected. The EU does not have the power to impose its legislation on other countries, but it can require entities operating within its scope to meet appropriate requirements. They will have to meet these requirements or face high penalties.

The Regulation contains three types of possibilities for transferring personal data to third countries:

  1. Transfer of data on the basis of the EC decision on the adequate level of protection of personal data, i.e. the so-called adequate countries (Article 45)
  2. Transfers subject to appropriate safeguards (Article 46)
  3. Exceptions in special situations (Article 49).

Adequate countries (Article 45)

The main objective of the GDPR Regulation was to ensure the greatest possible protection of the personal data of EU citizens. The system introduced in the regulation is very restrictive. It imposes many obligations on the administrator, for which he is threatened with high financial penalties for violating them. In other countries of the world, this system is often much weaker and does not provide adequate protection. However, there are countries that approach data protection with the same seriousness as the EU, and their protection systems are also very developed. Such countries are referred to as adequate countries.

Under Article 45 of the GDPR Regulation, the European Commission is authorized to conduct an assessment of countries and international organizations regarding the level of protection of personal data in them. If such a country meets all the requirements, the EC issues a decision on the appropriate level of protection of personal data. In the case of transfer of data to such a third country, there is no requirement to obtain any special consent. The transfer of data, therefore, takes place in the same way as if it took place to another country of the community.

The purpose of this institution is to facilitate the transfer of data to third countries that have a sufficiently developed data protection system to be trusted to transfer EU citizens’ data.

According to the data provided on the official website of the Office for Personal Data Protection, the currently recognized adequate countries are: Andorra, Argentina, Canada (commercial activities), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, the United Kingdom, the USA and, most recently, South Korea.

Example

You are a German company that wants to expand its services to the Asian market, South Korea, India and Japan. First, you need to check whether there are decisions for these third countries that establish an adequacy level of protection. In this case, South Korea and Japan have been found to be adequate. You can therefore transfer personal data to these two third countries without additional safeguards, but since India is not covered by an adequacy decision, you must protect the transfer of data to this country with appropriate safeguards.

The procedure for issuing a decision is complicated. The issuance of a decision is preceded by the requirement to conduct numerous studies and reports on data protection in that country. Above all, it focuses on the interpretation of the assessment of the application of local data protection regulations, i.e. in English the Personal Information Protection Act . Only when the level of protection guaranteed by the country is equal to that in the EU, it is possible to issue an appropriate decision.

When assessing whether the level of protection is adequate, the Commission shall take into account in particular the following elements:

  1. the rule of law, respect for human rights and fundamental freedoms, including in the areas of public security, defence, national security and criminal law, and access by public authorities to personal data
    1. the existence and effective functioning of at least one independent supervisory authority in a third country or in relation to an international organisation, responsible for ensuring and enforcing compliance with data protection rules, including appropriate enforcement powers, assisting and advising data subjects in exercising their rights, and cooperating with the supervisory authorities of the Member States;
    1. international commitments entered into by the third country or international organisation concerned or other obligations arising from legally binding conventions or instruments and from participation in multilateral or regional systems, in particular in the area of personal data protection.

The decision does not have to specifically apply to the entire territory of a given country. It can apply only to a given region, territory or part of it. An example here would be the USA, where decisions on adequacy countries apply only to selected states. Similarly, the decision may stipulate that adequacy applies only to data transfer in a selected field (e.g. in Canada the decision applied only to commercial activities).

The Commission continuously monitors changes in the third country. If the Commission finds that the changes that are to occur will lower the adequate level of protection, it may adopt a decision to that effect and, to the extent necessary, revoke, amend or suspend the decision. The Commission may first hold consultations with the third country in order to resolve the problem. Revoking a decision is therefore an unwanted last resort.

All adequacy decisions are published in the Official Journal of the European Union and the Commission publishes them on its website.

Discussion of the EC implementing decision on the adequacy of the level of protection of personal data, using the example of the decision concerning South Korea

The decision consists of two parts. The first part is descriptive only. It contains the grounds and intentions for issuing the decision. It is not normative in nature. This part is generally longer. The second part is the proper part. It consists of articles of normative nature.

The first part is divided into 8 chapters, which are divided into smaller subchapters. The whole consists of 230 points. They contain various general information concerning more technical issues of decisions. It can be easily compared to the recitals appearing in EU directives or regulations.

Chapter 2 is important for the assessment of decisions. It consists of 130 points, which is more than half of the total. It contains a description of the Korean regulations applicable to data protection. It divides them into subcategories:

  1. Data Protection Framework in the Republic of Korea
  2. The scope and entities of the Personal Information Protection Act
  3. Security, rights and obligations
  4. Supervision and enforcement of legal provisions
  5. Claims settlement.

Each of them is further divided into smaller subgroups. In it, the EC conducts a detailed analysis of all legal acts in South Korea, interprets them and assesses them, for example, in terms of transparency, the form of their enforcement, institutional supervision, ensuring data security or a sufficient level of protection.

Another important chapter is Chapter 3, entitled: “Access to and use of personal data transferred from the European Union by public authorities in the Republic of Korea”. It contains 70 intentions and consists of 3 subchapters divided into subsequent smaller groups. These are:

  1. General legal framework
  2. Access to data by Korean public authorities for the purpose of law enforcement and use of such data by such authorities for the same purpose
  3. Access to and use of data for national security purposes by Korean public authorities

This part is about the use of personal data by Korean state institutions. This is a very sensitive part, but necessary to examine in order to get a full picture of data protection.

The remaining chapters, 4 to 8, are more technical in nature and focus on the formal features of the decision, such as the procedure for changing it, monitoring it, and the effects it will have.

The second part consists of 6 articles of a normative nature. They contain the main content, specifying what the decision introduces. It can be said that the substantive part of the decision is contained in them.

At the very end there are signatures as befits every decision.

Transfer of data to a third country subject to appropriate safeguards (Article 46 of the GDPR)

In the event that the third country is not an adequate country, entities may transfer data to it only if they provide appropriate safeguards and provided that enforceable rights of individuals and effective legal remedies are in place. This may take place without or with the need for a supervisory authority to issue a permit.

The GDPR Regulation in Article 46 paragraph 2 contains a closed list of internal acts that an entity may adopt and are intended to ensure appropriate protection of users’ personal data. In such a case, there is no additional obligation to obtain the consent of the supervisory authority.

  1. Administrative arrangements or other instruments between authorities that provide for legally binding, enforceable and effective rights for data subjects
    1. Binding Corporate Rules; This is the personal data protection policy applied by the controller or processor, data transfer within a group of undertakings or a group of entrepreneurs engaged in a joint economic activity (definition in Article 4, point 20). The detailed requirements of the rules are specified in Article 47 of the Regulation. On its basis, they are approved by the supervisory authority in accordance with the consistency mechanism if: a) they are legally binding and apply to each member of the group b) they expressly grant enforceable rights to persons c) they meet the structural requirements of paragraph 2 of this Article
    1. standard data protection clauses adopted by the Commission or a supervisory authority and approved by the Commission
    1. an approved code of conduct, with binding commitments;
    1. approved certification mechanism, with binding commitments.

In the above cases, the connecting element is that the body carries out the control already at the initial stages or the entity applies the clauses adopted by the body. Subsequent control is therefore pointless.

Paragraph 3 specifies situations when the supervisory authority has not carried out prior control. Therefore, the rules for transferring data to a third country are unknown to it. Therefore, in order to ensure an adequate level of protection, control and obtaining a permit for the entity are necessary:

  1. contractual clauses between a controller or processor and a controller, processor or recipient of personal data in a third country or an international organisation;
  2. provisions of administrative arrangements between public authorities or bodies that provide for enforceable and effective data subject rights.

Transfer of data to third countries in exceptional and specific situations

In exceptional situations, where the third country to which we transfer data is not an adequate country or the transfer cannot be carried out using appropriate safeguards , a one-off or repeated transfer of data is possible if the specific conditions of Article 49 are met:

  1. the data subject has expressly consented to it,
  2. the transfer is necessary for the performance of a contract between the data controller and the data subject or is undertaken at his or her request,
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another entity,
  4. the transfer is necessary for the public good
  5. the transfer is necessary to demonstrate the validity of legal claims,
  6. the transfer is necessary to protect the vital interests of the data subject,
  7. data is publicly available.

In very exceptional situations, when the third country to which we transfer data is not an adequate country, or the transfer cannot be carried out using appropriate safeguards, or the specific conditions above are not met, the transfer may only take place if it is not repetitive and concerns only a limited number of people, is necessary for important legitimate interests pursued by the controller, which are not overridden by the interests, rights and freedoms of the data subject and the controller has assessed all the circumstances and, on that basis, provided appropriate safeguards for data protection. The controller is obliged to notify the supervisory authority of this transfer.

Summary

GDPR Regulation, in order to be applied in practice, could not be limited only to the Member States. In today’s globalized world, it had to have the ability to influence relations with third countries outside the community.

The institutions of adequate countries should be assessed unequivocally positively. It allows to reduce bureaucracy and limit requirements for entities transferring data to some countries. It should be remembered that the greater the requirements, the greater the costs of meeting them. Therefore, it significantly facilitates the functioning of the GDPR in practice while still maintaining a high level of data protection.

Sources

– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. of 2016, No. 119, p. 1, as amended).

– Office for Personal Data Protection: https://www.uodo.gov.pl/

– P. Fajgielski Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed.

UP