Posts

Showing posts with the label Model Clauses

Cross Border Transfer Mechanisms: Codes of Conduct

Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced. (1) Who Responsible for drawing up codes of conduct (a)    Governments and regulators can encourage the drawing up of codes of conduct. (b)    Codes of conduct may be created by trade associations or representative bodies. (c)    Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99). (d)    Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB). (e)     Existing codes can be amended or extended to comply with the requirements under the GDPR. (2)    Codes of conduct may cover topics such as: (a)  ...

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered a...

Cross Border Transfer Mechanisms : Binding Corporate Rules

Outside of consent and contract there are number of mechanisms that a company can use to transfer ( cross border ) personal data from the EU to outside of the EU. One of those mechanisms is Binding Corporate Rules (BCRs). BCRs were developed by the Art. 29 Data Protection Working Party as a transfer mechanism that permits multinational groups to create a contractual instrument that corresponds to their specific data processing needs. Application (a)    Must be uniform throughout organization. (b)    Must be enforceable by data subject. (c)    Must indicate clear cooperation with DPA (Data Protection Authority). (d)    Multinational companies must seek the approval of each DPA located in the country where the data is transferred from. Pros  BCRs allow data transfers to entities located in third countries, irrespective of whether the country can provide for an adequate level of data protection or not . Cons ...