matthew-henry-fPxOowbR6ls-unsplash

“Privacy Shield 2.0” is here: the European Commission adopted the long-expected decision on the framework for personal data protection on data transferred to the USA

27. 7. 2023

Newsletter

bpv BRAUN PARTNERS

In accordance with Article 45(3) of the General Data Protection Regulation[1] (“GDPR”), on July 10, 2023 the European Commission adopted the decision on a suitable level of protection for personal data provided under the EU-US Data Privacy Framework (“DPF”). This decision comes in response to the need to create a GDPR-compliant legal framework to enable easy transfer of personal data from the EU to the US after the invalidation of the (EU-US) Privacy Shield, the previous European Commission Implementing Decision on a suitable level of protection.

The DPF is a self-certification system administered and overseen by US government bodies in which individual American companies commit to uphold DPF standards, consisting especially of the obligation to handle data transferred from the EU (or EEA) in accordance with the GDPR.

This EC decision on the PDF allows personal data to be transferred from the EU (or EEA) to American companies with valid DPF certification under the same conditions as it is transferred within the EU, i.e. without taking additional measures.

For the sake of completeness we should mention that European Union decisions on a suitable level of protection for personal data are not the only possible means of transferring personal data outside the EU in compliance with GDPR. Data controllers or processors can also transfer data outside the EU if they provide suitable guarantees[2] pursuant to Article 46 of the GDPR, which can be done on a contractual basis using the standard personal data protection clauses accepted by the European Commission (“standard clauses”). Please keep in mind, however, that even standard clauses cannot solve everything, since for example they are not binding for public authorities that are not party to the contracts. It is important to determine in each case whether the laws of the country to which the data is being transferred provide a suitable level of protection, and if they do not, to take the additional measures necessary beyond the scope of the standard clauses. Failure to do this exposes controllers and processors to the risk of penalties, such as the record 1.2 billion euros imposed in May of this year on Meta Platforms Ireland Limited by the Irish Data Protection Commission.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] The data subjects’ enforceable rights and effective legal protection must also be in place.

Similar news

Newsletter
whistleblower
10. 5. 2023 | bpv BRAUN PARTNERS

Whistleblower – Law in the Czech Republic

The long prepared and hotly debated law was passed a few days ago by the Lower chamber in its third reading without opposition and will most likely come into force on 1 July 2023.

Press Releases
Tiskovky-min
28. 9. 2022 | bpv BRAUN PARTNERS

bpv BRAUN PARTNERS assisted Austrian real estate company Immofinanz in one of the largest real estate transactions in the CEE region

bpv BRAUN PARTNERS advised its client, IMMOFINANZ, on the acquisition of 53 retail properties from CPI Property Group (CPIPG).

Newsletter
photovoltaic-2138992_1920
3. 11. 2023 | bpv BRAUN PARTNERS

Industrial buildings, warehouses and photovoltaics, with the exception of agrovoltaics, will be stopped on agricultural land

The Government approved an amendment to Act No. 334/1992 Coll., on the Protection of the Agricultural Land Fund, which strengthens the protection of agricultural land.