Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 87<br />
Name Source Text or translation (excerpts; notes are given in italics)<br />
Infocomm<br />
Development<br />
Authority <strong>of</strong><br />
Singapore<br />
(IDA) and the<br />
National Trust<br />
Council <strong>of</strong><br />
Singapore<br />
(NTC)<br />
Madrid<br />
Resolution<br />
Treasury<br />
Board <strong>of</strong><br />
Canada<br />
Voluntary Model <strong>Data</strong><br />
Protection Code for<br />
the Private Sector<br />
(Version 1.3 final)<br />
International<br />
Standards on the<br />
Protection <strong>of</strong> Personal<br />
<strong>Data</strong> and Privacy<br />
(non-binding)<br />
Taking Privacy into<br />
Account before<br />
Making Contracting<br />
Decisions (2006)<br />
and prosecution <strong>of</strong> criminal <strong>of</strong>fences, breaches <strong>of</strong> ethics <strong>of</strong> regulated<br />
pr<strong>of</strong>essions, or the protection <strong>of</strong> the data subject. In all cases transfers<br />
should be fully consistent with these common principles, especially the<br />
limitation/purpose specification.<br />
Principle 4.1.1<br />
Where data are to be transferred to someone (other than the individual or<br />
the organisation or its employees), the organisation shall take reasonable<br />
steps to ensure that the data which is to be transferred will not be<br />
processed inconsistently with this Model Code.<br />
NOTE: The Implementation and Operational Guidelines to the provision<br />
explain that ‘the restrictions on the onward transfers <strong>of</strong> personal data<br />
<strong>under</strong> this principle apply to transfers to another organisation whether<br />
the organisation is located in Singapore or not’.<br />
15 International Transfers<br />
1. As a general rule, international transfers <strong>of</strong> personal data may be<br />
carried out when the State to which such data are transmitted affords, as a<br />
minimum, the level <strong>of</strong> protection provided for in this Document.<br />
2. It will be possible to carry out international transfers <strong>of</strong> personal data<br />
to States that do not afford the level <strong>of</strong> protection provided for in this<br />
document where those who expect to transmit such data guarantee that<br />
the recipient will afford such level <strong>of</strong> protection; such guarantee may for<br />
example result from appropriate contractual clauses. In particular, where<br />
the transfer is carried out within corporations or multinational groups,<br />
such guarantees may be contained in internal privacy rules, compliance<br />
with which is mandatory.<br />
3. Moreover, national legislation applicable to those who expect to<br />
transmit data may permit an international transfer <strong>of</strong> personal data to<br />
States that do not afford the level <strong>of</strong> protection provided for in this<br />
Document, where necessary and in the interest <strong>of</strong> the data subject in the<br />
framework <strong>of</strong> a contractual relationship, to protect the vital interests <strong>of</strong><br />
the data subject or <strong>of</strong> another person, or when legally required on<br />
important public interest grounds.<br />
Applicable national legislation may confer powers on the supervisory<br />
authorities referred to in section 23 to authorize some or all <strong>of</strong> the<br />
international transfers falling within their jurisdiction, before they are<br />
carried out. In any case, those who expect to carry out an international<br />
transfer <strong>of</strong> personal data should be capable <strong>of</strong> demonstrating that the<br />
transfer complies with the guarantees provided for in this Document and<br />
in particular where required by the supervisory authorities pursuant to the<br />
powers laid down in paragraph 23.2.<br />
Guidance which requires public bodies when contracting (including<br />
situations when this will result in personal data being transferred outside<br />
<strong>of</strong> Canada) to apply a context-specific test regarding the risk to privacy,<br />
<strong>under</strong> which agencies are to evaluate the following factors:<br />
--the sensitivity <strong>of</strong> the personal information, including whether the<br />
information is detailed or highly personal, and the context in which it<br />
was collected;<br />
--the expectations <strong>of</strong> the individuals to whom the personal information<br />
relates; and<br />
--the potential injury if personal information is wrongfully disclosed or<br />
misused, including the potential for identity theft or access by foreign<br />
governments