Data Protection Directive
Subscribe to Data Protection Directive's Posts

Article 29 Working Party Adopts Procedure on Approval of Model Clauses

On 26 November 2014, the Article 29 Working Party adopted a working document on establishing a cooperation procedure for issuing common opinions on whether contractual clauses are compliant with the European Commission’s Model Clauses (Model Clauses).

The working document establishes the procedure in which companies wishing to use identical contractual clauses in different Member States for transfers of personal data outside the European Economic Area (EEA) are able to obtain a coordinated position from the relevant Data Protection Authorities (DPA) on the proposed contracts, without the need to approach each relevant DPA individually for approval.

Background

Model Clauses represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection.  The Model Clauses are intended to be used without amendment – although some divergence, e.g., through the use of additional clauses having no impact on the overall compliance of the Model clauses adopted, may be acceptable.

Company groups in Europe often use identical contractual clauses in different jurisdictions for the purposes of transfers out of the EEA.  However, differing implementation of the Data Protection Directive between Member States has resulted in the situation whereby some jurisdictions require DPA approval of the Model Clauses used (such as Austria, Denmark, France and Spain), whether used with or without amendment, whereas other jurisdictions do not require such DPA approval where the Model Clauses are used without amendment.  The result of the above is that it may be possible that identical contracts using the Model Clauses with only minor amendment are considered compliant by a DPA in one jurisdiction but not in others.

According to the Working Party, the purpose of this working document is to create a procedure allowing companies to obtain a coordinated position from the relevant DPAs when using identical contractual clauses based on the Model Clauses with minor amendment, in particular as to whether the contractual clauses are compliant with the Model Clauses.

The Process

Should a company wish to know whether its contract is compliant with the Model Clauses, under the proposed cooperation procedure, it will first need to ask the DPA it believes is entitled to act as the lead DPA to launch the EU cooperation procedure.

The company will then need to provide the lead DPA a copy of the contract, indicating the references to the Model Clauses together with any divergences and additional clauses, as well a list of EEA countries from which the company will be carrying out the transfers.

The Lead DPA

The Working Party has suggested that the company should choose the lead DPA from a Member State in which the transfers will take place and it will be for the company to justify why the DPA should be considered the lead.  According to the Working Party, the following criteria should be considered by the company:

  1. The location from which the contractual [...]

    Continue Reading



Article 29 Working Party Discusses the Right to be Forgotten

On 18 September 2014, the European Union’s Article 29 Data Protection Working Party published a press release outlining its recent plenary session discussions on the so-called “right to be forgotten” or “de-listed.”

The Working Party identifies that search engines, as data controllers, are under an obligation to acknowledge requests to be de-listed and establishes amongst European data protection authorities a “tool box” for ensuring a common approach to complaints handling in the case of refusals to de-list.

Background

The Working Party, made up of EU member state national data protection authorities, is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive (95/46/EC) (DPD) in order to contribute to the DPD’s uniform application.

The purpose of its latest plenary session held on 16 and 17 September 2014 was to discuss the aftermath of the European Court of Justice’s (ECJ) May 2014 ruling which recognised an EU citizen’s right to have the results of searches conducted against their name and containing their personal information removed where such information was inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.

Key Messages

The Working Party has acknowledged that there is high public demand for the right to be forgotten, based on the number of complaints received by European data protection authorities relating to refusals by search engines to de-list since the ECJ ruling.

The Working Party has agreed that there is a need for a uniform approach to the handling of de-listing complaints.  As such the Working Party has proposed that:

  • It is necessary to put in place a network of dedicated contact persons within European data protection authorities to develop common case-handling criteria; and
  • Such a network will provide data protection authorities with a record of decisions taken on complaints and a dashboard to assist in reviewing similar, new or more difficult cases.

Going forwards the Working Party also confirmed that it will continue to review how search engines comply with the ECJ’s ruling, having already held a consultation process with search engines and media companies over the summer.




Article 29 Working Party Publishes Statement on the Risk-Based Approach to Data Protection

On May 30, 2014, the European Union’s Article 29 Data Protection Working Party adopted “Statement on the role of a risk-based approach in data protection legal frameworks” (WP281).  The Working Party, made up of EU member state national data protection authorities, confirmed its support for a risk-based approach in the EU data protection legal framework, particularly in relation to the proposed reform of the current data protection legislation.  However, with a view to “set the record straight,” the Working Party also addresses its concerns as to the interpretation of such an approach and sets out its “key messages” on the issue.

Approaching Risk

In support of the risk-based approach, which broadly calls for increased obligations proportionate to the risks involved in data processing, the Working Party sets out examples of its application in the current Data Protection Directive (95/46/EC) and the proposed General Data Protection Regulation.  The Working Party confirms that the risk-based approach must result in the same level of protection for data subjects, no matter the size of the particular organisation or the amount of data processed.  However, the Working Party clarifies that the risk-based approach should not be interpreted as an alternative to established data protection rights, but instead a “scalable and proportionate approach to compliance.”  Consequently, the Working Party accepts that low-risk data processing may involve less stringent obligations on data controllers than comparatively high-risk data processing.

Key Messages

To conclude its views on the risk-based approach, the Working Party establishes 13 key messages – in summary:

  1. Protection of personal data is a fundamental right and any processing should respect that right;
  2. Whatever the level of risk involved, data subjects’ legal rights should be respected;
  3. While the levels of accountability obligations can vary according to the risk of the processing, data controllers should always be able to demonstrate compliance with their data protections obligations;
  4. While fundamental data protection principles relating to data controllers should remain the same whatever the risks posed to data subjects, such principles are still inherently scalable;
  5. Accountability obligations should be varied according to the type and risk of processing involved;
  6. All data controllers should document their processing, although the form of documentation can vary according to the level of risk posed by the processing;
  7. Objective criteria should be used when determining risks which could potentially negatively impact a data subject’s rights, freedoms and interests;
  8. A data subject’s rights and freedoms primarily concerns the right to privacy, but also encompasses other fundamental rights, such as freedom of speech, thought and movement, prohibition on discrimination, and the right to liberty, conscience and religion;
  9. Where specific risks are identified, additional measures should be taken – data protection authorities should be consulted regarding highly risky processing;
  10. WHile pseudonymising techniques are important safeguards that can be taken into account when assessing compliance, such techniques alone do not justify a reduced regime on accountability obligations;
  11. The risk-based approach should be assessed on a very wide scale and take into account every potential/actual adverse effect;
  12. The legitimate [...]

    Continue Reading



STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021