A stricter regime for profiling07 June 2016
Spanish Data Protection Authority Clarifies Requirements for Cross-Border Transfers to Safe Harbor US entities
The AEPD letter implicitly recognizes the following mechanisms as adequate to justify data transfers to jurisdictions without adequate data protection:
- Standard contractual clauses remain adequate, but as before, they must be authorized by the AEPD. The authorization process generally takes about three months.
- Data transfers remain adequate without authorization from the AEPD if they meet one of the following conditions:
- The transfer is made with the data subject’s unambiguous consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- results from a treaty or convention to which Spain is a party;
- is necessary or legally required to safeguard public interest, provide judicial aid, medical care, or support legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
Although no express reference is made to Binding Corporate Rules (BCRs), there is no reason to believe that this is not a valid mechanism, provided that authorization is obtained from the AEPD. Regardless of whether a specific mechanism requires authorization, all data transfers require prior notification to the AEPD.
The practical effect of the letter will likely be to confirm that the alternative mechanisms listed above remain available to companies, provided that they appropriately inform the AEPD.
The letter also notes that companies that fail to inform the AEPD of the mechanisms used to justify cross-border data transfers may be subject to enforcement actions, which may include monetary fines and the temporary suspension of transfers.
Brian Kennedy, an associate in our Washington, D.C. office, contributed to this entry.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016