- Recording for POLSAT Television, 13 August 2010
- TVP INFO asks about data protection on social networking sites, 11 August 2010
- Interview for TVN24, 12 August 2010
- TVN CNBC Biznes asks about the protection of entrepreneur data, 10 August 2010
- GIODO will cooperate with Human Rights Defender (RPO)
- GIODO’s study on the protection of personal data of children and teenagers
- GIODO protects the privacy of preschoolers’ families
- Gasworks changed standard form contracts
- Analysis of terms of service of nasza-klasa social networking site is under way
- ID cards may only be retained in exceptional circumstances
- The term of office of the new Inspector General for Personal Data Protection has begun
- Tribute to the victims of the plane accident in Smolensk
- GIODO to check nasza-klasa.pl social networking website
- The Act of 29 August 1997 on the Protection of Personal Data (unified text: Journal of Laws of 2002 No. 101 item 926 with amendments)
- nasza-klasa.pl social networking website - inspection results presented at the press conference
- Amendment to the act
- Spring Conference of European Data Protection Authorities
- Privacy Policy http:// www.giodo.gov.pl
Principles of the transfer of personal data to a third country
Introduction
The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal data to third countries, especially those which are not able to ensure at least the same level of personal data protection as the one provided in the territory of the Republic of Poland is connected with a high risk of breaching the rights and freedoms of the data subject. Therefore the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2002, No. 101, item 926 with later amendments) imposes specific requirements on the transfer of personal data to a third country. They were specified in Chapter 7 of the Act on the Personal Data Protection “Transfer of Personal Data to a Third Country” (Articles 47 and 48). It needs to be underlined that the abovementioned provisions implemented specific provisions of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard of the processing of personal data and on the free movement of such data, hereinafter called the Directive. They have a crucial meaning for the interpretation of the Act on personal data protection.
On the basis of what principles can personal data be transferred to the
Member States of the European Economic Area?
The Data Protection Act in its present wording does not contain any specific provisions regulating the transfer of personal data to the European Economic Area (EEA) Member States. It needs to be underlined that, according to the legal definition given in Article 7 point 7 of the Act, a third country shall mean a country which does not belong to the European Economic Area. It means that the transfer of personal data within borders of the European Union shall be treated as the transfer inside the territory of the Republic of Poland. This principle applies to all the Member States of the European Union and those Member States of the European Economic Area which are not the European Union Members (presently: Norway, Iceland and Liechtenstein).
The free flow of personal data within the framework of the European Union and further within the European Economic Area is the necessary condition of the Polish membership in the European Union. The EU Member States have implemented the provisions of the Directive 95/46/EC into their legal orders. The two main goals of the Directive are:
- ensuring of the proper level of personal data protection,
- ensuring of the free flow of personal data within the territory of the European Union.
Under of the implemented provisions, the transfer of personal data to the EU Member States is conducted in accordance with general principles of data processing outlined in the Act on Personal Data Protection (excluding the provisions of Chapter 7). Such data controller as well as the controller processing personal data in the territory of Poland is obliged to fulfil one of the prerequisites of legality of data processing such as purposefulness principle and the principle of personal data quality. The controller is also obliged to implement all the safety measures necessary to protect personal data.
Are there any additional requirements that need to be met in order to transfer personal data to a third country?
Yes. As opposed to the data transfer to the EEA Member States, apart from the general provisions outlined in the Act on Personal Data Protection, the obligations imposed by the provisions of the Act also need to be fulfilled in case of transfer of personal data to a third country.
On what grounds can personal data be transferred to a third country?
On the grounds of the Article 47 of the Act on the Protection of Personal Data, the transfer of data to a third country may take place only if the country of destination ensures at least the same level of protection as the one in force in the territory of the Republic of Poland. The quoted provision is compatible with the provisions of Article 25 point 1 of the Directive 95/46, according to which the Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of the Directive, the third country in question ensures the adequate level of data protection.
Basically, in the context of the provisions of the Act on the Protection of Personal Data and of the European Union provisions the transfer of personal data to a third country may take place only if the country of destination ensures at least the same level of protection in its territory as that in force on the territory of the Republic of Poland.
In what circumstances does a third country ensure the adequate level
of personal data protection?
The Act on the Protection of Personal Data does not directly point out the prerequisites regulating the assessment whether a third country ensures the adequate level of the protection of personal data, hence it is worth quoting Article 25 paragraph 2 of the Directive 95/46, according to which the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding the data transfer operation or set of such operations. Particular consideration shall be given to the nature of data, the purpose and duration of the proposed processing, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
The attempt to establish the methodology of investigating the level of data protection in a third country was made by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established on the grounds of Article 29 of the Directive 95/46EC, hereinafter referred to as the Article 29 Working Party.
The Article 29 Working Party in its working paper of July 24, 1998 No WP 12 on the Transfers of Personal Data to Third Countries; Applying Articles 25 and 26 of the Data Protection Directive underlined that the adequate level of data protection shall consist of two elements: the rules concerning the processing of personal data and the means of ensuring the effective application of the data protection provisions. The basic rules of data processing, which shall be ensured in a third country, comprise:
Purposefulness principle - the data shall be processed for a specific purpose; further processing of the data may only take place if it is not contrary to the primary purpose of data processing.
Data quality and adequacy principle – the data shall be specific and when necessary, kept up to date. Data shall be adequate in relation to the purpose for which they were collected.
Information obligation principle – the data subject shall be provided with the information concerning the purpose of the processing of personal data and the data controller in the third country.
Data protection principle –appropriate technical and organizational measures, commensurate with the existing risks shall be implemented to protect personal data.
Access to personal data and right to object – the data subject shall have a guarantee of access to the information concerning him or her, the right to rectify the data and the right to object to the processing of personal data.
Limitation of the further processing – as a rule, further processing of personal data by an entity residing in a third country shall be permitted only if the next body which is to receive the personal data is also bound by the principles of proper data protection.
Because of the significant diversity of the national systems of data protection the Article 29 Working Party pointed out three features which the data protection systems need to have in order to ensure a high level of compliance with the principles of data processing: the system needs to deliver a good level of compliance with the rules, it also needs to provide support and help to individual data subjects in the exercise of their rights and to provide appropriate redress to the injured party where rules are not complied with.
The full text of the working document (translated into a number of languages) is available on the website:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/1998_en.htm
On the grounds of Article 25 item 6 of the Directive 95/46/EC, the European Commission is entitled to claim, by means of the administrative decision, that the specific third country ensures an adequate level of data protection, which results from its national provisions of law or international obligations accepted by this country, especially after the termination of negotiations with the European Commission in the scope of privacy protection and basic rights and freedoms of individuals. The recognition by the European Commission that the country ensures the corresponding level of protection is equal with the confirmation that the country ensures at least the same guaranties of data protection as that in force in the territory of the Republic of Poland. The Commission issued a number of decisions with a different scope and character up to this day. Decisions concerning the data transfer to a third country were issued for the following countries:
Argentina
Commission Decision of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
Australia
Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
Canada
Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
Faeroe Islands
Commission Decision of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en
Guernsey
Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en
Isle of Man
Commission Decision of 28 April 2004 on the adequate protection of personal data in the Isle of Man, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en
Jersey
Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey (notified under document number C(2008) 1746), available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en
Switzerland
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland, available at:
http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en
USA
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbor privacy principles and related frequently asked questions issued by the US Department of Commerce, available at:
http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML
The controller of personal data is obliged to evaluate whether the country of destination ensures the corresponding guarantees of data protection and has to independently assess whether the prerequisites specified in Article 47 paragraph 1 have been fulfilled. The Inspector General for Personal Data Protection does not issue any decisions concerning this matter. It needs to be underlined that in case of any doubt concerning the level of protection in third country the data controller needs to fulfil one of the prerequisites rectified in Art. 47 paragraph 2 and 3 or Art. 48 of the Act on the Protection of Personal Data.
Does the Act on the Protection of Personal Data allow the transfer of the personal data to a third country which does not ensure an adequate level of personal data protection?
Yes, but the transfer of personal data to a third country which does not ensure at least the same level of data protection as that in the territory of the Republic of Poland the transfer of personal data may only take place if one of the prerequisites specified in Article 47 paragraph 2 and 3 of the Act is fulfilled.
First, it needs to be explained that the transfer of personal data to a third country which does not ensure an adequate level of data protection may take place if the data controller is obliged to transfer personal data by the provisions of law or by the provisions of any ratified international agreement (Art. 47 paragraph 2). It needs to be underlined that the appointed norm embraces only the provisions of law in force in the territory of the Republic of Poland or ratified international agreements. The grammatical interpretation of the Article 47 paragraph 2 shows the necessity of existence of the explicit obligation to transfer personal data.
Article 47 paragraph 3 of the Act includes the following prerequisites for the transfer of personal data to a third country which does not ensure an adequate level of protection. The data controller may transfer personal data to a third country only if:
- the data subject has given a written consent,
The given prerequisites shall be interpreted in the light of definition specified in Art. 7 point 5 of the Act. According to this provision, the consent of the data subject shall mean a declaration of will by which the data subject signifies his/her agreement to the processing of personal data; the consent cannot be alleged or presumed on the basis of the declaration of will of other content. In consequence, the person who submits such declaration of will shall be aware of lack of adequate data protection in the third country to which the data relating to this person is to be transferred. - the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject’s request.
In the framework of this prerequisite two situations can be singled out in which the data transfer is admissible. The first one refers to the situation when the transfer is necessary for the performance of a contract between the data subject and the controller. The second one refers to the situation in which the transfer takes place in response to the request of the data subject. At the same time it needs to be acknowledged that the hypothesis of the introduced norm embraces the actions related to the performance of the contract and the actions before the conclusion of the contract – taken at the request of the data subject. It needs to be underlined that the personal data may be transferred to a third country only if it is necessary for the achievement of the abovementioned goals. It is not enough for the data to be only useful. - the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the data controller and another subject.
It is of essential importance for the contract between the controller and another subject to be concluded in the interests of the data subject – an insurance contract may be given as example. - the transfer is necessary or required by reasons of public interest or for establishment of legal claims.
If we analyse the possibilities of the transfer of personal data to a third country, if it is necessary due to public interest, it is worth noting that according to point 58 of the preamble to the Directive 95/46/EC the transfer is admissible if it is necessary for the protection of an important public interest, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters. Hence, this provision shall be interpreted strictly. - the transfer is necessary in order to protect the vital interests of the data subject.
The vital interests shall mean the interests indispensable for the life of a person. As a rule the economic interests are not included in the scope of this notion. - the transfer relates to the data which are publicly available.
The above mentioned prerequisite cannot be used if the data were made publicly available in breach of law.
In which cases the Inspector General for Personal Data Protection may allow the transfer of personal data to a third country?
In cases when the prerequisites enumerated in Article 47 paragraph 2 or 3 of the Act are not fulfilled, the transfer of personal data to a third country which does not ensure at least the same level of personal data protection as that in force in the territory of the Republic of Poland may take place subject to a prior consent of the Inspector General, provided that the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject (Art. 48).
It needs to be underlined that the transfer of the personal data to a third country which does not ensure an adequate level of personal data protection may begin only after issuing the decision by the Inspector General. This decision does not legitimise the earlier processing of personal data.
The Inspector General, while considering the motion for the prior consent shall assess whether the data controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject. Such evaluation is made with the use of the same prerequisites as the ones used for the general assessment of the data protection level ensured in a third country. Nevertheless every motion shall be evaluated individually, noting all the circumstances.
The data controller may ensure an adequate level of protection of personal data which are the subject to the transfer by accepting the relevant contractual obligations such as:
- standard contractual clauses adopted by the European Commission
- standard contractual clauses modified by the controller
- contractual clauses elaborated independently by the controller
- binding corporate rules.
Can the data controller use the standard contractual clauses adopted
by the European Commission?
Yes, the European Commission, on the grounds of Article 26 paragraph 4 of the Directive, is entitled to decide by means of a decision that specific standard contractual clauses ensure an adequate level of data protection as well as the rights and freedoms of individuals. Such decisions require that the Member States do not refuse approving the safeguards introduced in the standard contractual clauses stated in the decisions that acknowledge the proper level of personal data protection. This does not exclude the obligation of fulfilling the other requirements imposed by specific national provisions. The European Commission has issued three decisions concerning this matter:
Commission Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third country, under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L 181 , 04/07/2001) was issued by the Commission on June 15, 2001. The contractual clauses introduced by this act can be used for the transfer of personal data to the controller with a place of residence in a third country. The text is available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:181:0019:01:EN:HTML
Commission Decision 2004/915/EC amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries
(Official Journal L 385/19, 29/12/2004) was issued by the Commission on December 27, 2004. This decision introduced the set of alternative contractual clauses, which can be used by the data controller in case of transferring the personal data to other controllers having a place of residence in a third country. The data controller may choose one of two sets of standard contractual clauses.
The text of the decision available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:EN:PDF
Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (Official Journal L 039 , 12/02/2010) adopted on 5 February 2010 is available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF
The standard contractual clauses introduced by this decision can be used for the transfer of personal data in case when the controller authorized other subject to carry out the processing of personal data within the meaning of Article 31 of the Act on the Protection of Personal Data.
The abovementioned decision replaced the Commission Decision 2002/16/EC on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L 006, 10/01/2002), issued by the Commission on December 27, 2001.
The text of the decision is available at:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:006:0052:01:EN:HTML
Notice: The Decision 2010/87/EC is applicable to contracts concluded after 15 May 2010. However, contract concluded between a data exporter and a data importer pursuant to Decision 2002/16/EC before 15 May 2010 shall remain in force and effect for as long as the transfers and data-processing operations that are the subject matter of the contract remain unchanged and personal data covered by this Decision continue to be transferred between the parties. Where contracting parties decide to make changes in this regard or subcontract the processing operations that are the subject matter of the contract they shall be required to enter into a new contract which shall comply with the standard contractual clauses set out in the Annex to the Decision.
On 12 July 2010, the Article 29 Working Party issued document WP 176, where it cleared certain doubts concerning the implementation of the Commission Decision 2010/87/EC. The document is available at:
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp176_en.pdf
Following the applicant’s declaration that the standard contractual clauses introduced by the decisions of the Commission have been used, ,the Inspector General needs to compare the safeguards used by applicant with the text of the standard contractual clauses. Furthermore, the Inspector General investigates the circumstances of the planned data transfer.
In what way may standard contractual clauses be introduced?
It needs to be underlined that standard contractual clauses can be a part of a wider contract concluded by the controller of personal data and the recipient of data in a third country. They can be also added as an annex to the contract or have a form of a separate document.
Can the controller of personal data use binding corporate rules?
Yes. The use of the standard contractual clauses introduced by the Commission decisions is not the only solution allowing the Inspector General to issue the decision allowing the transfer of personal data to a third country. It is possible to use modified standard contractual clauses, as well as clauses which were elaborated by the applicant.
Binding corporate rules are a separate instrument which can play a sufficient role in case of personal data transfer within the framework of international corporations. It is quite a new instrument, which can ensure on the one hand a bigger flexibility and on the other - a uniform, high level of the protection of the data subject within the framework of the corporation irrespective of the level of the personal data protection within the territory of other countries.
On June 3, 2003 the Article 29 Working Party issued working paper WP 74 on “Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers”.
The text of the working paper is available (in English, French and German) on the website:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2003_en.htm
The Article 29 Working Party while performing the analysis of the motion of corporate rules pointed out that these rules are:
- “binding” or “possible to execute in the legal way” because only the clauses of such character can be recognized as the “adequate level” of guarantees as defined in Article 26 paragraph 2 of the Directive 95/46/EC;
- corporate, because those rules are used within the framework of the international corporation, in most cases devised by the corporation headquarters;
- used for the international transfer of personal data, because this is the sense for the existence of those rules.
On April 14, 2005 the Article 29 Working Party adopted the working paper WP 108 containing a checklist with all indispensable elements which shall be included in the binding corporate rules.
Taking into consideration that the binding corporate rules as a rule are expected to be of public character, the European Data Protection Authorities adopted the procedure of cooperation, aimed on Issuing Common Opinions on Adequate Safeguards Resulting From "Binding Corporate Rules” (Working Document WP 107 adopted on April 14, 2005).
Both of the above mentioned documents are available (in English, French and German) on the website:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2005_en.htm
What information need to be included in the motion for consent for the transfer of personal data to a third country?
If, in the applicant’s opinion, it is necessary for the Inspector General to express the consent to the transfer of personal data to a third country, the abovementioned applicant shall submit the evidence allowing to confirm that the suggested safeguards with respect to the protection of the rights, freedoms and privacy of the data subject are adequate. The Inspector General requires the applicants to specify:
- the parties of such transfer,
- categories of personal data,
- scope of the data,
- target and estimated time of the transfer operations,
- safeguards undertaken by the parties that intend to transfer personal data in order to protect rights of the data subject, including for instance: presentation of the content of the contract (including binding corporate rules) constituting the ground for personal data transfer,
- organizational and technical means implemented by the recipient of personal data to protect the transferred data (exact description).
The Inspector General has a right to turn to the applicant in the course of the proceedings to give some additional explanations or mail the documents.
The motion needs to fulfil the requirements stated in Article 63 of the Act of July 14, 1960, the Code of Administrative Proceedings (Journal of Laws of 2000, No 98, item 1071 with later amendments).
The motion needs to be submitted in writing and to contain the following formal elements::
- information identifying the applicant, including:
- name and surname/full name of the entity,
- address /registered office;
- handwritten signature of the applicant;
- valid extract from the National Court Register or other register, or certificate or information from a record relevant to the organisational structure of the applicant;
- payment slip for stamp duty.
ATTENTION! If the applicant acts for and in the name of other person or entity (as their proxy), he/she also needs to:
- attach to the application an original or certified copy of a power of attorney to act for and in the name of the principal in proceedings before the Inspector General for Personal Data Protection.
ATTENTION! According to the Act of 7 October 1999 (Journal of Laws No. 90, item 999 with amendments), the application and the documents attached thereto need to be in Polish.
The written application may be submitted:
- by traditional mail to the Bureau of the Inspector General for Personal Data Protection (at the address: Biuro Generalnego Inspektora Ochrony Danych Osobowych, ul. Stawki 2, 00 - 193 Warszawa),
- in person, in the Bureau of the Inspector General for Personal Data Protection address as above).
- by electronic means, using the electronic inbox available at the website of the Inspector General for Personal Data Protection, (www.giodo.gov.pl, in the “Electronic Inbox” tab).
ATTENTION! Applications submitted by electronic means need to include a safe electronic signature verified by a valid qualified certificate and to comply with the norms specified in the provisions on electronic signature.
An obligation to pay stamp duty arises in case of:
- submitting an application to the Inspector General for Personal Data Protection (regardless of the form of submission),
- submitting a power of attorney/proxy for the proceedings before the Inspector General for Personal Data Protection (both in case of the original document and its copy or excerpt).
The stamp duty rate amounts to:
- PLN 10.00- in case of application for consent to transfer data to a third country,
- PLN 17.00- in case of a power of attorney.
Stamp duty is to be paid at the cash-desk or by bank transfer to: Dzielnica Śródmieście m. st. Warszawy, ul. Nowogrodzka 43, 00 – 691 Warszawa,
Account no: 60 1030 1508 0000 0005 5001 0038.
Transfer title should include the expression stamp duty for... and the acronym, GIODO. Payment slip should be sent to the Bureau of the Inspector General for Personal Data Protection.