Agencia española de protección de datos

International transfers of data.

International transfers of data, is regulated in articles 33 and 34 of the Organic Law 15 / 1999, 13 december, of protection of personal data (LOPD) and to title VI of Regulations implementing the organic law on the protection of Personal data, adopted by royal decree 1720 / 2007, of 21 december, (RLOPD).

A international data transfer, it is a treatment of data reflecting a transmission of such data outside the territory of the european economic area (EEA), either constitutes an assignment or communication of data or aimed at implementing a processing of data by the responsible for the file established in spanish territory (art. 5.1.s) RLOPD).

The data exporter is the natural or legal person, public or private, or administrative body located in spanish territory by a transfer of personal data to a third country (art. 5.1.j) RLOPD).

The data importer is the natural or legal person, public or private, or administrative body recipient, in case of downloading international chemicals to a third country, either controller, processor or third party. (art. 5.1.Ñ) RLOPD).

For international transfers of data, will require the prior authorization of the director of the spanish agency data protection be defended unless in any of the exemptions set out in paragraphs a) to (j) of article 34 of the LOPD or where the state in which the importer it provides an adequate level of protection, situations in which in any case must be notified international transfers of data to the register General data protection for registration system through notification NOTE of files.

The authorisation of international transfer of data does not exclude any case the implementation of the provisions contained in the LOPD RLOPD and.


      Countries with an adequate level of protection.

    To date have been declared as countries with adequate level of protection the following:

    • Switzerland. Decision 2000 / 518 / EC of 26 july 2000
    • Canada. Decision 2002 / 2 / ec of 20 december 2001, with regard to entities subject to the scope of the canadian data protection
    • Argentina. Decision 2003 / 490 / ec of 30 june 2003
    • Guernsey. Decision 2003 / 821 / ec of 21 november 2003
    • Isle of Man. Decision 2004 / 411 / ec of 28 april 2004
    • Jersey. Decision 2008 / 393 / ec of 8 may 2008
    • Faeroes. Decision 2010 / 146 / eu of 5 march 2010
    • Andorra. Decision 2010 / 625 / eu of 19 october 2010
    • Israel. Decision 2011 / 61 / eu of 31 january 2011
    • Uruguay. Decision 2012 / 484 / eu of 21 august 2012
    • New zealand. Decision 2013 / 65 / eu of 19 december 2012
    • United States. Applicable to entities certified in the framework of the EU-US privacy Shield Decision (EU) 2016 / 1250 commissionof 12 july 2016. On the website of the privacy Shield is the relationship of entities certified https: / / www.privacyshield.gov / list

      It should be recalled that in the event that the international transfer of data with destination to one of those countries is a consequence of the provision of services, this shall not remove the obligation to conclude a contract in accordance with article 12 of the LOPD.

       

          Excepcionados legally assumptions of the authorisation by the director of the spanish agency for data protection.

        Article 34 of the LOPD RLOPD and 66.2 of the set out the circumstances in which is not required the prior authorisation of the director of the spanish agency for Data protection:

        • When the international transfer of personal data obtained by the application of treaties or conventions to which Spain is a party.
        • When the transfer is made to deliver or seek international judicial assistance
        • When the transfer is necessary for the prevention or for diagnosis doctors, health care or medical treatment or the management of health services.
        • Where it relates to cash transfers in accordance with its specific legislation.
        • When the person concerned has given his consent unambiguously to the proposed transfer.
        • When the transfer is necessary for the performance of a contract between the affected and the responsible for the file for the adoption of precontractual measures taken at the request of the concerned.
        • When the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the concerned, the individual responsible for the file and a third party.
        • Where the transfer is necessary or legally required to safeguarding a public interest. Will this consideration the requested transfer by a customs or Tax administration for the performance of its powers.
        • When the transfer is required for the establishment, exercise or defence of a right in a legal process.
        • When the transfer is effected at the request of any person with a legitimate interest, since a public register and that is consistent with the purpose of same.

          Authorisation by the director of the spanish agency for data protection.

        In those cases where necessary the authorisation of the director of the spanish agency of data protection for data transmissions outside the eea territory, the authorization may be granted in case that, in addition to be seen what is stated in the LOPD, the exporter furnishes the guarantees of respect for the protection of privacy of those affected and their rights and fundamental freedoms and guarantee the exercise of their respective rights.

        Of accordance with article 33 of the LOPD, the authorisation of international transfer of data to a country that has not been declared as a country with an adequate level of protection may be granted only if sufficient guarantees. So, may be granted if the responsible for the file provided a written contract, concluded between the exporter and the data importer, containing the necessary guarantees of respect for the protection of privacy of those affected and their rights and fundamental freedoms and guarantee the exercise of their respective rights.

        International Transfers of data between treatment responsible

        For such transfers are considered that meet appropriate guarantees contracts concluded under the terms laid down in the decisions of the european commission 2001 / 497 / ec of 15 june 2001 and 2004 / 915 / ec of 27 december 2004 amending the previous one.

        Each of the decisions of the european commission contains a set of standard contractual clauses. Controllers may opt for one or another set of clauses but may not modify or combine elements of various clauses or assemblies.

        International transfers of responsible data processor

        When the data transfer is carried out between a responsible and a processor shall be considered as conforming to the appropriate guarantees contracts that include the standard contractual clauses set out in the decision of the european commission 2010 / 87 / eu of 5 february 2010.

        International transfer of data from commissioned sub-processor

        May authorize international transfers of data between a processor / data exporter, established in spain, and a sub-processor / data importer, located in a country that does not guarantee an adequate level of protection, provided that at the data exporter provided sufficient guarantees of respect for the privacy of those affected and their rights and fundamental freedoms and guarantee the exercise of their respective rights.

        Be considered to providing adequate safeguards the contracts that include the model clauses taken by the spanish agency of data protection in its resolution of transfer authorisation international data 16 october 2012.

        In addition to the contract between the processor / exporter of data and importer / sub-processor, requires the framework contract between the controller and the processor / data exporter in which he authorizes the subcontracting and the international transfer of data.

        For the authorization, based on any of the standard contractual clauses above, it shall provide:

        to) where the exporter is responsible for the file

        • Written request identifying the files purpose of the transfer with an indication of the code with which the file in the General Register of data protection.
        • Contract based on the standard contractual clauses signed by the parties (original copy or photocopy attested) and, where appropriate, certified translation into spanish.
        • Sufficient powers of the signatories and, where appropriate, certified translation into spanish.
        • The registration of the files shall be fully updated, (chapters relating to the Collective "" and "measures of security").

          b) where the exporter of data is the processor

          • Written request with identification of exportador-encargado and importador-subencargado.
          • Contract based on Contractual clauses signed by the parties (original copy or photocopy attested) and, where appropriate, certified translation into spanish.
          • Framework contract between the controller and the processor / data exporter in authorizing the subcontracting and the international transfer of data and, where appropriate, certified translation into spanish.
          • Sufficient powers of the signatories and, where appropriate, certified translation into spanish.

          Standard contractual clauses.

          Corporate rules binding or Binding Corporate Rules (RCB)

          May also authorize international transfers of data between companies of the same multinational group companies had been taken rules or internal rules binding on the enterprise group members and recoverable under spanish legal system. articles 70.4 and title IX, chapter V of RLOPD establish the legal regime applicable to international transfers within a multinational. This regulation is completed with the following Working papers prepared by the group of article 29 of directive 95 / 46 / ec on the content of corporate standards binding and to the prior proceedings, are taking place between the different Member states concerned for the adoption of such standards:

          • WP 155 - Most frequently asked questions about BCRs.
          • WP 154 - Table setting out the structure of the. BCRs
          • WP 153 - Table setting out the relationship of the elements and principles which should contain the. BCRs
          • WP 108 - Model application transfer authorisation based on BCRs international procedural coordinated.
          • WP 107 - Document on the competence of the european supervisory authorities in the coordinated procedure of BCRs approval..
          • WP- 74 - Document on the implementation of article 26.2 of directive 95 / 46 / ec into. BCRs

          For the authorization based on the Corporate Rules shall provide binding:

          • Written request identifying exporting firms, importing companies and of the files purpose of the transfer with an indication of the code with which the file in the General Register of data protection.
          • Corporate rules binding.
          • Copy of the formal authorisation given by the authority. leader
          • Sufficient powers of the applicant.
          • The registration of the files shall be fully updated, (chapters relating to the Collective "" and "measures of security").

          For any of the documents were shall provide, where appropriate, certified translation into spanish.

          Authorisation procedure for international transfers of data:

          The authorisation of international transfers of data shall be processed in the General register of data protection in accordance with the procedure laid down in section 1 of chapter V of title IX of RLOPD.

          • The procedure starts at the request of the exporter to carry out the transfer.
          • Where appropriate, it may require the applicant to complete or amend the documentation submitted within 10 days, laid down in article 68 (1) of the act 39 / 2015 the common administrative procedure of public administrations. If such period is not received its notification, it shall be abandoned its such request official its request.
          • Process of public information optionally (10 days).
          • Completed the requirements, legally enforceable the director of the agency shall international authorize the transfer of data, and shall be transmitted to the authorisation resolution to the General register of data protection, in order to proceed with its registration.
          • The General data protection the shall transfer authorisation.
          • The maximum period to issue and notify resolution shall be three months from the date of entry into the spanish agency of data protection of the request.
            • If within this period had not been issued and served resolution expresses authorized, the international transfer of data.

          Very serious offence constitutes, in accordance with the provisions of article 44.4.d), the LOPD "the international transfer of personal data to countries that do not provide an equivalent level of protection without the authorization of the Director of the spanish agency for data Protection except in the circumstances in which under this act and its provisions such authorisation is not necessary".