ARTICLE 29 DATA PROTECTION WORKING PARTY

Recommendations

Info

opportunity to exercise this right should be offered before the disclosure or re-use of personal information. Moreover, the WP29 emphasises that a general right to object (on compelling grounds relating to the data subject’s particular situation), being understood as a right to ask to terminate the processing about one's data whenever the individual has compelling legitimate grounds relating to his particular situation, should be offered within the Privacy Shield 17 . The WP29 strongly recommends that the draft adequacy decision makes clear that the right to object should exist at any given moment, and that this objection is not limited to the use of the data for direct marketing 18 . The WP29 fears that the lack of definition of what is to be regarded as a ‘materially different’ purpose will lead to confusion and legal uncertainty. It should be clarified that in any case, the Choice principle cannot be used to circumvent the Purpose limitation principle 19 . Choice should be applicable only where the purpose is materially different but still compatible since the processing for incompatible purpose is prohibited (Annex II, II.5.a). It has to be clarified that the right to opt-out cannot enable the organisation to use data for incompatible purposes. Hence, it recommends harmonising the related wording by using a single and defined wording (e.g. “materially different but nevertheless compatible purpose”). Clarification would be helpful as to where a decision taken to process data for another purpose or to disclose information falls under EU law. In this situation the usual EU legal conditions regarding this processing (such as the prohibition on processing for incompatible purposes, to provide for a legitimate ground for the processing and the need to inform the individual) will directly apply including to the U.S. organisation falling under the scope of EU law. In practice, this means that it will be for the EU exporter taking such a decision to ensure transparency and lawfulness of the processing according to EU law. Therefore, the choice principle will apply only where the decision is taken exclusively by the U.S. Shield organisation not submitted to EU law. 2.2.3 Onward transfers a) Scope The WP29 is concerned with the situation where onward transfers of personal data take place from a Privacy Shield certified organisation in the U.S. to a recipient in a third country. The Shield should not only be seen as a tool to transfer EU data from the EU to the U.S. but will also serve as a tool to be used to transfer data from the U.S. to third countries. Provisions on onward transfers are therefore an important element of the Shield that should provide sufficient guarantees and an adequate level of protection when data are onward transferred outside the U.S. One particular issue is linked to national security and law enforcement. 18 See WP29 letter to Vice-President Reding, under ‘Choice’. 19 A concrete example of further incompatible processing authorised under the Choice principle is provided under Supplemental principle 9.b.i (see the WP29 comment about it under the point related to ’HR data’. 20
The Accountability for Onward Transfers principle of the Privacy Shield is not limited to recipient data controllers, processors or Agents established in the U.S. Therefore, onward transfers to a third country could take place on the basis of the Privacy Shield, even if the third country has laws providing for public access to personal data, for example for purposes of surveillance. This puts EU data at risk of unjustified interferences with the fundamental rights protection. In any case of an onward transfer to a third country, every Privacy Shield organisation should be obliged to assess the mandatory requirements of the third country’s national legislation applicable to the data importer prior to the transfer. If a risk of substantial adverse effect on the guarantees, obligations and level of protection provided by the Privacy Shield is identified, the U.S. Privacy Shield organisation acting as a Processor (Agent) shall promptly notify the EU data controller before carrying out any onward transfer. In these cases the data exporter is entitled to suspend the transfer of data and/or terminate the contract. Where there is such a risk of substantial adverse effect, a Shield organisation acting as a controller should not be allowed to onward transfer the data, as this would compromise its duty to provide the same level of protection as under the Principles in case of onward transfers (see Annex II, II.3.a). Similarly, in the event of a change in the third country’s legislation which is likely to have a substantial adverse effect on the guarantees, obligations and level of protection provided by the Privacy Shield, the U.S. Privacy Shield organisation acting as a Processor (Agent) should be obliged – by the Privacy Shield – promptly to notify this change to the data exporter as soon as it becomes aware of it, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract. Accordingly, in such a case, a Shield organisation acting as a controller should not be allowed to onward transfer as it has a duty to provide the same level of protection as under the Principles (see Annex II, II.3.a). The WP29 recalls its position that if the EU data controller is aware of an onward transfer to a third party outside the U.S. even before the transfer to the U.S. takes place, or if the EU data controller is jointly responsible for the decision to allow onward transfers, the transfer should be considered as a direct transfer from the EU to the third country outside the U.S. This means Articles 25 and 26 of the Directive are applicable to the transfer instead of the Privacy Shield onward transfer principle. b) Transfers from a Privacy Shield organisation to a third party controller The WP29 welcomes the duty to put in place contracts (Annex II, II.3.a) to ensure that a third party Controller will provide at least the same level of privacy protection as is required by the Privacy Shield principles. The purpose is to ensure that personal data continue to be protected adequately, even after having been transferred onward. However the WP29 has some remarks on the proposed conditions. Lack of reference to the Purpose Limitation principle 21
Page 1 and 2: ARTICLE 29 DATA PROTECTION WORKING
Page 3 and 4: With regard to the applicable law,
Page 5 and 6: Conclusion The WP29 notes the major
Page 7 and 8: 3.2 GUARANTEE A - PROCESSING SHOULD
Page 9 and 10: 1. INTRODUCTION Following the judgm
Page 11 and 12: protection equivalent to the princi
Page 13 and 14: as well as making accessibility for
Page 15 and 16: a shared product. Alternatively, th
Page 17 and 18: 2.1.3 Limitations to the duty to ad
Page 19: other rights (to correct, delete wh
Page 23 and 24: which data may not be processed (in
Page 25 and 26: Thus the Choice principle, can be r
Page 27 and 28: Alternatively, complaints could be
Page 29 and 30: Privacy Shield List will also conta
Page 31 and 32: Notice, choice and purpose limitati
Page 33 and 34: when exercising his/her right of ac
Page 35 and 36: circumstances in which, and the con
Page 37 and 38: Despite the declassification of doc
Page 39 and 40: The WP29 welcomes the findings in t
Page 41 and 42: with through internal and policy me
Page 43 and 44: The WP29 notes that its previous cr
Page 45 and 46: 3.5.3 Privacy Shield Ombudsperson 3
Page 47 and 48: ECtHR nevertheless has high expecta
Page 49 and 50: European Union, the European Commis
Page 51 and 52: It is furthermore the understanding
Page 53 and 54: 4.2 Application of the European Ess
Page 55 and 56: All in all, the WP29 notes that the
Page 57 and 58: 5. CONCLUSIONS AND RECOMMENDATIONS

ARTICLE 29 DATA PROTECTION WORKING PARTY

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?