The Privacy Professional

Certifications are yet another way that businesses doing business in the EU can achieve cross border transfers of personal data out of the EU.   Businesses can also demonstrate compliance with GDPR by instituting a certification mechanism. Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation. Certification can be issued by Data Protection Authorities (DPAs.) or accredited certification bodies. In conjunction  with the  harmonization goal GDPR,  Art. 42 encourages an EU-wide outlook for certification schemes. As of yet, there are no credential certification bodies, which presents a huge economic opportunity to the organization who applies and is approved as a certification body.   Certifications does not reduce a data controller's or processor's protection responsibilities. Controllers/Processors are required  provide all th

Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced. (1) Who Responsible for drawing up codes of conduct (a)    Governments and regulators can encourage the drawing up of codes of conduct. (b)    Codes of conduct may be created by trade associations or representative bodies. (c)    Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99). (d)    Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB). (e)     Existing codes can be amended or extended to comply with the requirements under the GDPR. (2)    Codes of conduct may cover topics such as: (a)    fair and transparent processing;        (i)    Processing-means any operation or set of operations that

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.

Outside of consent and contract there are number of mechanisms that a company can use to transfer ( cross border ) personal data from the EU to outside of the EU. One of those mechanisms is Binding Corporate Rules (BCRs). BCRs were developed by the Art. 29 Data Protection Working Party as a transfer mechanism that permits multinational groups to create a contractual instrument that corresponds to their specific data processing needs. Application (a)    Must be uniform throughout organization. (b)    Must be enforceable by data subject. (c)    Must indicate clear cooperation with DPA (Data Protection Authority). (d)    Multinational companies must seek the approval of each DPA located in the country where the data is transferred from. Pros  BCRs allow data transfers to entities located in third countries, irrespective of whether the country can provide for an adequate level of data protection or not . Cons BCRs do not apply to transfers to external sub-processors (outsi