GDPR Article 45 deals with the complex issue of international data transfers. Massive amounts of data are transferred to and from the UK and EU, and other countries, on a daily basis.
Article 45 enacts a number of precautionary measures that protect the data whilst it is being processed, and secures the rights and freedoms of any individuals who may be affected by cross-border transfers.
Transfers on the Basis of an Adequacy Decision
- A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
- When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
- (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
- (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
- (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
- The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
- The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.
- The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).- The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.
- A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
- The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
- Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.
Transfers on the Basis of an Adequacy Decision
- A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act).
- When assessing the adequacy of the level of protection, for the purposes of sections 17A and 17B of the 2018 Act, the Secretary of State shall, in particular, take account of the following elements:
- (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
- (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the the Commissioner; and
- (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
- The amendment or revocation of regulations under section 17A of the 2018 Act is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
Adequacy is a key term that appears throughout GDPR Article 45. The term ‘adequate level of protection’ means that the data recipient guarantees an according a level of protection which can be deemed ‘essentially equivalent’ to GDPR.
Adequacy is dealt with across 6 key areas:
In this section we talk about GDPR Articles 45 (1), 45 (2)(a), 45 (2)(b), 45 (2)(c), 45 (3), 45 (4), 45 (5), 45 (6), 45 (7), 45 (8), 45 (9)
Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Articles 45 (1) to 45 (9) | ISO 27701 7.5.1 | None |
With ISMS.online, you can easily demonstrate a level of privacy protection that goes beyond ‘reasonable’, all in one secure, always-on location.
The ISMS.online platform includes built-in guidance at each step, combined with our ‘Adopt, Adapt, Add’ implementation approach, so demonstrating your GDPR compliance is significantly easier. A wide range of time-saving tools will also be available to you.
Find out more by scheduling a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.