ARTICLE 29 DATA PROTECTION WORKING PARTY

Recommendations

Info

The WP29 recommends also inserting a clear reference to the Purpose Limitation principle (Annex II, II.5) within the conditions for onward transfers to a third party controller (Annex II, II.3.a). This would make clear that onward transfers may not take place where the third party controller will process data for an incompatible purpose. Exemption to the need of contract for intra-group transfers between controllers An exemption to the need of contract is provided for intra-group transfers between controllers. In such a scenario, the Principles state that the continuity of the protection could be offered by Binding Corporate Rules (BCRs) or “other intra-group instruments (e.g. compliance and control programmes)” (Annex II, III.10.b). The WP29 considers that the reference to ‘other intra-group instruments’ does not guarantee legally binding commitments made by the other members of the group. Since the WP29 and the EU legislation 20 generally favour binding commitments to frame intra-group transfers, it is important to avoid that the Privacy Shield will be used in a way to circumvent this requirement. The WP29 recalls that, in any case, onward transfers from the U.S. to third countries planned even before the transfer to the U.S. takes place, or that are subject to joint controllership with the EU data controller 21 , have to be considered as a direct transfer from the EU to the third country outside the U.S. Articles 25 and 26 of the Directive are therefore applicable to the transfer. c) Transfers from a Privacy Shield organisation to a third party processor (Agent) The WP29 welcomes the fact that a contract for onward transfers is now mandatory for receiving entities acting as processors (Agents) regardless of their participation to the Privacy Shield or if they benefit from another adequacy finding solution. The WP29 also welcomes the additional safeguards framing these onward transfers (Annex II, II.3.a.i; II.3.a.iii; II.3.a.iv; II.3.a.v; II.7.d). The last point (Annex II, II.7.d) concerns the obligation to remain liable when data are disclosed to an Agent. However, it seems that this guarantee will not apply in case an organisation has chosen to cooperate with a DPA (see Annex II, III.5.a in fine). The WP29 does not understand the reason for such an exemption and considers that liability should apply even in this case. Lack of reference to the purpose limitation principle The WP29 notes that the Accountability for Onward Transfer principle (Annex II, II.3) explains that personal data may be transferred to a third party acting as an Agent only for limited and specified purposes, but does not explicitly say that these limited and specified purposes have to be compatible with the initial purposes for which the data were collected as well as with the instructions of the controller. More clarity is needed on this point. The WP29 therefore suggests to ensure the adequacy decision provides more detail, for example by inserting a clear reference to the Purpose Limitation principle (Annex II, II.5), according to 20 The need of binding and enforceable commitments is also underlined in the GDPR whatever the tool used (BCRs, contractual clauses, codes of conduct or certification). 21 For instance, for HR data. 22
which data may not be processed (including disclosed) for incompatible purposes within the onward transfer principle (in addition to the opt-out principle). Need for more additional obligations for Privacy Shield organisations acting as processor (Agent) onward data to another processor (Agent) The absence of clear rules where the Shield organisation is acting as an Agent (i.e. on behalf an EU controller) imply a loophole and might prevent the EU controller to remain into control. A Shield organisation receiving the data as an Agent of an EU controller has to respect the EU controller’s instructions. This should be expressly stated in the Principles in order to ensure that the non-respect of those instructions will not only lead to a breach of the contract (Annex II, III.10.a.ii) but also to a violation of the Privacy Shield principles. The possibility for a Shield organisation acting as an Agent to subsequently transfer data to a third party Agent has to be made transparent to the Controller and be subject to its prior approval. It should therefore be clearly stated that it is the contract signed by the Agent with the EU controller (referred to in F.A.Q. 10 as the ‘Article 17 contract’) that determines whether an onward transfer is allowed. 22 The current conditions applicable to the onward transfer to an Agent are built on the assumption that the Shield organisation acts as a controller and can therefore decide by itself on the possible intervention of a third party Agent. This should however not be possible where the Shield organisation acts as an Agent. Otherwise, the EU controller will be deprived from its control capacities. The relevant privacy provisions of the contract concluded with the third party Agent must be made available to the controller and must also to provide at least the same level of protection as provided by the contract signed with the controller. 2.2.4 Data Integrity and Purpose Limitation a) Proportionality On a minor point, the WP29 refers to its letter to Vice-President Reding in which it wrote that “a processing of personal data could, even under a strict respect of Notice and Choice, be not proportionate with regards to the interests’ rights and freedoms of the data subject or society. The principle of proportionality or reasonableness is to be respected at all stages of the processing and should be applicable in addition to the principles of Notice and Choice” 23 . The Privacy Shield (Annex II, II.5.a) states that the information must be limited to what is relevant for the processing. The WP29 would prefer if this wording is amended in the final adequacy decision, since the mere fact that the data shall be relevant to the processing is not sufficient to make the processing proportionate. In order to meet the proportionality principle, the processing should be limited to the data that are necessary for the processing at stake. 22 See WP29 letter to Vice-President Reding, 10 April 2014, point 4 under Onward Transfer 23 See WP29 letter to Vice-President Reding, 10 April 2014, p.8 23
Page 1 and 2: ARTICLE 29 DATA PROTECTION WORKING
Page 3 and 4: With regard to the applicable law,
Page 5 and 6: Conclusion The WP29 notes the major
Page 7 and 8: 3.2 GUARANTEE A - PROCESSING SHOULD
Page 9 and 10: 1. INTRODUCTION Following the judgm
Page 11 and 12: protection equivalent to the princi
Page 13 and 14: as well as making accessibility for
Page 15 and 16: a shared product. Alternatively, th
Page 17 and 18: 2.1.3 Limitations to the duty to ad
Page 19 and 20: other rights (to correct, delete wh
Page 21: The Accountability for Onward Trans
Page 25 and 26: Thus the Choice principle, can be r
Page 27 and 28: Alternatively, complaints could be
Page 29 and 30: Privacy Shield List will also conta
Page 31 and 32: Notice, choice and purpose limitati
Page 33 and 34: when exercising his/her right of ac
Page 35 and 36: circumstances in which, and the con
Page 37 and 38: Despite the declassification of doc
Page 39 and 40: The WP29 welcomes the findings in t
Page 41 and 42: with through internal and policy me
Page 43 and 44: The WP29 notes that its previous cr
Page 45 and 46: 3.5.3 Privacy Shield Ombudsperson 3
Page 47 and 48: ECtHR nevertheless has high expecta
Page 49 and 50: European Union, the European Commis
Page 51 and 52: It is furthermore the understanding
Page 53 and 54: 4.2 Application of the European Ess
Page 55 and 56: All in all, the WP29 notes that the
Page 57 and 58: 5. CONCLUSIONS AND RECOMMENDATIONS

ARTICLE 29 DATA PROTECTION WORKING PARTY

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?