A guest article on the GDPR by:
Dr Oliver Hornung, Attorney at Law for IT & Digital Business and Partner of SKW Schwarz Rechtsanwälte
The following topics are covered in this series of contributions
- Objectives and principles.
- Rights of data subjects.
- Obligations for companies.
- International data transfers abroad.
- Technical and organisational data protection.
- Commissioned processing.
- Obligation to appoint a company data protection officer.
- New European data protection law also applies to website operators.
- Supervisory Authorities.
- Fines and Sanctions.
- Employee data protection.
- What do companies have to do?
Data transfer abroad
The regulations on data transfer abroad, i.e. to unsafe third countries outside the European Union or the European Economic Area, adopt the previously known system from the Federal Data Protection Act, but with some new accents.
A transfer of personal data to a so-called unsafe third country is permissible if the controller and the processor fulfill the conditions laid down for the transfer to third countries and also comply with the other provisions of the GDPR. Accordingly, a transfer is permissible if the European Commission has decided that an adequate level of protection exists. If the European Commission has not made such a decision, a controller or processor may only transfer personal data to an unsafe third country if it has provided appropriate safeguards and enforceable rights and effective remedies are available. These are the following possibilities:
- Binding corporate rules (BCR)
- Standard contractual clauses
- Individual contractual clauses
New in this context are the detailed enumerations of the minimum content for BCRs or the possibility for national supervisory authorities to issue their own model standard contractual clauses.