Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 61<br />
B. National data protection and privacy legislation in force<br />
Country Source Text or translation (excerpts; notes are given in italics)<br />
EU and EEA<br />
Member<br />
States<br />
EU <strong>Data</strong> Protection<br />
Directive 95/46/EC,<br />
Articles 25 and 26 (see<br />
above <strong>under</strong><br />
‘European Union’)<br />
Local or regional data<br />
protection laws in<br />
many EU Member<br />
States regulate<br />
transborder data flows<br />
The 27 EU Member States (Austria, Belgium, Bulgaria, Cyprus, Czech<br />
Republic, Denmark, Estonia, Finland, France, Germany, Greece,<br />
Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the<br />
Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,<br />
Sweden and the United Kingdom) and the three EEA Member States<br />
(Iceland, Liechtenstein, and Norway) have all adopted the provisions <strong>of</strong><br />
the EU <strong>Data</strong> Protection Directive (including restrictions on transborder<br />
data flows) and implemented them into their national laws.<br />
For example: German federal state <strong>of</strong> Hessen, Hessisches<br />
Datenschutzgesetz (applies only to the public law sector and entities<br />
subject to public law):<br />
§ 17:<br />
(1) The provisions <strong>of</strong> this Act apply to the permissibility <strong>of</strong> transferring<br />
personal data within the area <strong>of</strong> application <strong>of</strong> the EU <strong>Data</strong> Protection<br />
Directive.<br />
(2) A transfer to recipients outside the area listed in para. 1 is only<br />
permissible based on this Act if it exclusively accrues to the benefit <strong>of</strong><br />
the individual or an adequate level <strong>of</strong> data protection with the recipient is<br />
assured. The DPA <strong>of</strong> Hessen is to be consulted before any decision about<br />
adequacy is made. If an adequate level <strong>of</strong> protection is not assured, then<br />
personal data may only be transferred if:<br />
1. the individual has consented;<br />
2. the transfer is necessary for protection <strong>of</strong> an overriding public interest<br />
or to assert, exercise or defend legal claims before a court;<br />
3. the transfer is necessary to protect the vital interests <strong>of</strong> the individual,<br />
or<br />
4. the transfer is conducted from a register designed for the information<br />
<strong>of</strong> the public and that is accessible either by the public or by all persons<br />
who can show a legitimate interest in consulting it, ins<strong>of</strong>ar as the legal<br />
requirements are fulfilled in a particular case.<br />
The recipient to whom the data are transferred must be informed that the<br />
transferred data may only be processed for purposes that are consistent<br />
with those for the fulfilment <strong>of</strong> which the data are being transferred.