Blog » FORWARDING PERSONAL DATA TO JAPAN? THE EUROPEAN COMMISSION GIVES GREEN LIGHT
FORWARDING PERSONAL DATA TO JAPAN? THE EUROPEAN COMMISSION GIVES GREEN LIGHT
20 February 2019
Just a week before entering into force of the EU – Japan Economic Partnership Agreement, the European Commission decided that Japan shall be considered as a safe country under the GDPR. What does it mean to be safe? Why is it important? In our latest article you can read about the effects of this decision.
1. What is the problem with countries outside the EU?
The General Data Protection Regulation (GDPR) is currently the strictest data protection regulation in the whole world.
If the GDPR provides the highest level of protection to the personal data, then it means that anywhere else in the world the protection of the personal data is lower. The aim of the regulation is that the data protection safety level of the European residents shall be always the same, even if the data processor is seated outside the European Union, in a so-called “third-country”.
It is obvious that the regulation cannot be applied generally all over the world, so the most effective way to protect the personal data is to prevent them getting out of the EU. However, such a decision would block an international company’s operation, if it would be impossible for the mother company, seated outside the EU, to reach personal data.
So the regulation allows transferring data to third countries that are considered to be safe.
2. When is it safe to transfer data outside the EU?
The GDPR applies a multi-stage type system allowing the transfer of personal data to a third country.
Adequacy decision: if a non-EU member state regulates data protection similarly as GDPR, and the security provided to the personal data is considered to be sufficient, the European Commission can decide that such country shall be approved to be safe. This means that transferring data to such country does not require permission.
Providing safeguards: the adequacy decision can be substituted with safeguards for data protection. The regulation explains that safeguards can be legally binding and enforceable instruments, binding corporate rules, standard data protection clauses, approved code of conduct or approved certification mechanism.
Derogations for specific situations: if the person transferring data is unable to provide safeguards, there are still situations when the ban can be overwritten. According to GDPR this can happen if the data transfer is
- explicitly permitted by the data subject, after having been informed of the possible risks of such transfers,
- necessary for the performance of a contract with the data subject,
- necessary for important reasons of public interest,
- necessary for the establishment, exercise or defence of legal claims,
- necessary to protect the vital interests of the data subject or of other persons, and the data subject is physically or legally unable to give consent,
- made from a register which according to law is intended to provide information to the public.
Fulfilling specific conditions: even without meeting the above mentioned conditions, the data transfer is still possible, if the following requirements are fulfilled:
- the transfer is not repetitive,
- concerns only a limited number of data subjects,
- it is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject,
- and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
If the above mentioned points are all met, it is enough to inform the authorities about the data transfer.
In these four points the data transfer shall be considered safe according to GDPR, however, this is a fix list. If the data transfer does not fit in any categories, it is not permitted.
3. What are the advantages of the Commission’s adequacy decision?
Among the above mentioned safety conditions the first one, namely the “adequacy decision” is the most convenient for the market participants. In such case there is no need to provide special safeguards, you don’t need to meet several conditions, or report the data transfer to the authorities to transfer the data outside the EU.
So if the Commission issues an adequacy decision for a non-EU country where you transfer data, the data processing becomes much easier in the everyday life of your company.
4. What are the conditions of the adequacy decision?
Before the Commission issues an adequacy decision, it examines whether the country meets the criteria of the rule of law, especially if the human rights and fundamental freedoms, data protection regulations can be exercised, if there is an independent supervisory authority, and whether it is regulated how the state organs can have access to personal data, and what international obligations they have in relation with data protection.
For example, Japan strengthened the protection of sensitive data, made the data transfer to other non-EU country stricter, and created an independent supervision for the data access based on law enforcement and state security reasons.
By adopting the adequacy decision in the field of data protection, the Commission gave green light to personal data transfer to Japan, and eliminated a significant obstacle in respect of the execution of the EU – Japan Economic Partnership Agreement.
The fact that EU companies can freely transfer data to their Japanese business partners, or to subsidiaries, will hopefully contribute to the boosting of EU – Japan economic relations.
ONLINE SALE OF MEDICINAL PRODUCTS WITHOUT BORDERS? LUXEMBURG RULED
Cross-border online sale of medicinal products is a recurring issue before the Court of Justice of the European Union. This is no coincidence, as trade in medicines is a strictly regulated area in all Member States, which can easily conflict with the EU principle of freedom to provide services, and in the end, the "price" of excessive national restrictions is borne by the consumers. In our article, we summarize the recent ruling of the Court of Justice of the European Union on the limitation of the principle.Read more »
HOW REPORTING OF EMPLOYEE-TRAININGS HAS CHANGED FROM SEPTEMBER 2020 IN HUNGARY?
From September 2020 the rules, which regulate the status of the adult educators and the organisation of adult educations have changed. There are significantly more educations, which are considered as adult education and performing an adult education entails a lot more obligation. The changes affect almost every employer who organises certain kind of educations for its employees. We summarize the most important changes concerning the adult education.Read more »
LUXEMBOURG RULED: MESSI DRIBBLED PAST EVEN THE EUROPEAN TRADEMARK OFFICE
Messi hit the legal news again, this time not because of his tax issues. In September, the match between the EUIPO and the world-famous football player, which was ongoing since 2011, finally ended. Messi won the match, as the European Court of Justice ruled that because of his significant reputation, his name can be registered as a trademark despite the fact that it is similar to several earlier trademarks, which is otherwise a ground for exclusion. In our short article, we summarise the details of the case and the legal significance of the decision.Read more »