You are here: Home > In practice > Cross-Border Transfers of Personal Data

Cross-Border Transfers of Personal Data

Your personal data can move freely out of Belgium and within the European Union, as long as the Belgian Privacy Act is observed. Thanks to Directive 95/46/EC all Member States apply the same level of protection when processing personal data. Consequently, a transfer within the European Union is regulated like a transfer in Belgium and has to respect the general principles of the law (conditions include respecting the legitimacy and the compatibility of the disclosure with respect to the original processing operation, informing the data subjects).

In principle, only transfers to countries ensuring an adequate level of protection are authorized

Outside the European Union and more in general outside the European Economic Area, personal data can only be transferred to countries ensuring a level of protection equal to that which is offered on EU territory. Because new technologies facilitate data circulation, the lack of such a rule would quickly erode the elaborate protection mechanism of the European Union.

Any controller wishing to transfer personal data outside the European Union first has to make sure that the country of final destination ensures an adequate level of protection. If that country's level of protection can be considered adequate, the transfer may take place as if it were a transfer to another country of the European Union. Nevertheless, the general principles of the law (including legitimacy, compatibility of the disclosure of the data to a third party with respect to the original processing, informing the data subjects) will always have to be observed.

The appreciation of the adequacy of the level of protection ensured by countries outside the European Union is based among other things on the country's general and sectoral legislation, and professional regulations. The European Commission has the competence of establishing that a third country provides an adequate level of protection and has already done so for the following countries: Switzerland, Canada (for processing operations subject to the Canadian Personal Information Protection and Electronic Documentation Act), Argentina, the United States (if the recipient of the data in the United States has accepted the "Safe Harbor Principles"), Guernesey, the Isle of Man, the Faroe Islands, Liechtenstein, Andorra, Norway, Australia,Jersey and Israël. For all additional information or for the most recent updates of the list of countries ensuring an adequate level of protection, we strongly advise you to consult the European Commission's website.

Adequate safeguards through a contract

If the level of protection of the country of final destination of the data is not clearly considered as adequate by the European Commission, this does not necessarily mean that a transfer is impossible. There are a series of derogations allowing for data trasnfers towards countries not ensuring an adequate level of protection. To guarantee security for the economic actors, the national practice in the European Union is to require that these derogations are applied to transfers towards third countries not providing an adequate level of protection even if they have not been formally identified as not offering such protecton. One of these derogations is the possibility for the controller to ensure adequate protection through a contract, for example a document that is binding for the individual transferring the data and for the one receiving it, and that contains sufficient safeguards with respect to data protection. In Belgium such a contract has to be authorized by Royal Decree, following the opinion of the Commission for the Protection of Privacy. To help the controller in this process, the European Commission has drawn up standard contractual clauses, which are automatically considered as sufficient safeguards for data protection. In Belgium, contracts copying the European Commission's standard contractual clauses do not have to be "ratified" by Royal Decree, nor do they have to be authorized by the Belgian Privacy Commission. A copy of the contract will nevertheless have to be transmitted to the latter, so that it can make sure the document corresponds with the European Commission's standard contractual clauses. Moreover, the processing operations will have to be notified in the Privacy Commission's public register, except if stated otherwise in the applicable regulations on notification. The standard contractual clauses are listed below:

• standard contractual clauses for a transfer from a controller to a controller (first standard 2001/497/EC);
• standard contractual clauses for a transfer from a controller to a controller (second standard 2004/915/EC);
• standard contractual clauses for a transfer from a controller to a processor (for contracts before 15 May 2010: 2002/16/EC; for new contracts as of 15 May 2010: 2010/87/EU). For your information: the Article 29 Working Party has elaborated FAQs (WP176) about 2010/87/EU clauses).

For multinationals: sufficient safeguards with internal codes of conduct (Binding Corporate Rules)

Multinationals wishing to transfer data within their corporate group comprising members established outside the European Economic Area, can also provide sufficient safeguards with respect to data protection using internal codes of conduct (Binding Corporate Rules - BCR). These codes have to be ratified by the different national authorities for data protection involved in the data flow (in Belgium a Royal Decree has to be adopted, following the opinion of the Commission for the protection of privacy). A coordinated European procedure has been elaborated, offering multinationals the possibility to submit their application to a national data protection authority (the leading authority at European level) that will then contact the other European authorities involved in order to jointly investigate the draft code of conduct and take coherent decisions. Moreover, several authorities, including Belgium, have agreed on a system of mutual recognition in order to come to harmonised positions, based on mutual trust among the data protection authorities when BCR have been analysed by three of them. A standard application form for approval is also available (WP 133 ). For more information on the requirements for the approval of internal codes of conduct, you can consult the working papers that have been adopted by the Article 29 Working Party (including documents WP153, WP154, WP155, and basic documents WP74, WP107, WP108). The European Commission website also includes a section on BCR.

Exceptions

In the absence of a contract, there are certain "exceptions" allowing for data transfers to third countries, for example when the data subjects give their unambiguous consent to the transfer of their data to such a country, when the transfer is necessary to perform a contract with the data subject or when the data come from a public register informing the public (e.g. telephone book, trade register). These exceptions have to be interpreted restrictively and cannot constitute a normal framework for data transfers, especially when they are massive and repetitive. A contractual solution is recommended, as this offers more important safeguards for the protection of citizens' data.

Also read our FAQ: Cross-Border Transfers of Personal Data

Also read in the lexicon: European Economic Area - Safe Harbor Principles - standard contractual clauses - Binding Corporate Rules - Article 29 Working Party