Transfer of personal data to a third country
- What is a third country?
- What is a transfer of personal data to a third country?
- Is personal data transferred to a third country if published on the Internet?
- Why are there special rules on transfers to a third country?
- When is a transfer to a third country permitted?
- What does "adequate level of protection" mean?
- How do I know if the level of protection in a third country is adequate or not?
- What are the Safe Harbor principles?
- Can data be transferred regarding persons who have consented to the transfer?
- What are the specific situations in section 34 of the Personal Data Act when personal data may be transferred to a third country?
- What is meant by adequate safeguards to protect the rights of the registered persons?
- What are standard contractual clauses?
- What are Binding Corporate Rules?
- When is an application or notification to The Data Protection Authority required?
A country which is not a member of the EU or the EEA.
The following countries are members of the EU.
Members of the EEA: Iceland, Liechtenstein and Norway.
When personal data that is processed in an EU- or EEA country is made available in a country outside the EU/EEA- area. For instance when personal data in a database is printed out and sent in the form of paper or when personal data is sent via e-mail
No, it is not considered to be a transfer to a third country if the data is published on a website on the Internet and the website is stored with an Internet provider established within the EU.
The EC Directive on data protection requires that all member states have rules that provide an equivalent protection for personal data and privacy. This also applies to the EEA countries. Therefore personal data may be transferred freely within this area without restrictions. Since there are no general rules that provide corresponding guarantees outside the EU/EEA it has been considered that transfers to such countries must be limited. Personal data may therefore only be transferred if there is an adequate level of protection in the recipient country or if there are special safeguards protecting the personal data and the rights of the data subjects.
Personal data may be transferred to a third country in one of the following situations:
- If there is an adequate level of protection (see below) in the recipient country (for instance according to decisions by the EU Commission).
- If the transfer is regulated by a contract that includes standard contractual clauses that have been approved by the EU Commission
- When the data subject has given his/her consent to the transfer.
- In certain specific situations enumerated in section 34 of the Personal Data Act (see below).
- If it is permitted in some other way according to regulations or specific decisions by the Government or the Data Inspection Board with reference to that there are adequate safeguards with respect to the protection of the rights of the data subjects. Such safeguards may result from Binding Corporate Rules (BCR) which can be submitted for approval according to a specific procedure established by the data protection authorities in the EU member states:
The processing of personal data that takes place in Sweden must still comply with the rules of the Personal Data Act. This means that data may only be transferred if the data controller in Sweden has complied with the other requirements of the Personal Data Act, for instance the fundamental requirements regarding processing of personal data and the rules about when such processing is permitted on the whole.
In the Personal Data Act (and in the EC Directive on data protection) there are guidelines on what you have to consider when assessing the level of protection for personal data. All circumstances surrounding the transfer shall be considered. Particular consideration shall be given to the nature of data, the purpose of the processing, the duration of the processing, the country of origin, the country of final destination and the rules that exist for the processing in the third country.
The EU Commission has analysed the data protection rules of a few countries and decided that the level of protection in these countries is adequate. The decisions concern:
- Bailiwick of Guernsey
- Faroe Islands
- Isle of Man
- New Zealand
- State of Israel
Furthermore the EU Commission has assessed that the level of protection is adequate within certain sectors or under certain conditions in the following countries:
- Canada (if their legislation on protection of personal data in the private sector is applicable on the recipient´s processing of personal data)
- U.S.A. (if the recipient has self-certified that they adhere to the EU-US Privacy Shield arrangement)
The decisions of the EU Commission are enumerated in an annex to the Personal Data Ordinance. In the ordinance it is explicitly stated that transfers are permitted in these cases.
It is a set of rules on privacy and data protection issued by the US Department of Commerce (DoC) and approved by the EU Commission as providing an adequate level of protection. Organisations in the US can notify the DoC that they adhere to these rules and it is permitted to transfer personal data from the EU/EEA to organizations in the US that have done so. The Privacy Shield also includes mechanisms for complaints handling and redress for data subjects in the EU as well as clarifications on the rules for US authorities to access data. The Privacy Shield replaces the previous Safe Harbor principles which were declared invalid by the European Court of Justice in their ruling of 6 October 2015. On the website of the US DoC there is a list of companies and organisations that have adhered to the Privacy Shieldprinciples.
Yes, it is explicitly permitted in the Personal Data Act. The consent must be freely given and must refer to the transfer of personal data as such. The individual must also first have been given information about the personal data processing. Only data about the person who has given his/her consent may be transferred – not personal data about someone else.
10. What are the specific situations in section 34 of the Personal Data Act when personal data may be transferred to a third country?
In addition to consent, section 34 of the Personal Data Act lists a few specific situations where personal data may be transferred regardless of whether there is an adequate level of protection or other safeguards:
If the transfer is necessary for
- the performance of a contract between the registered person and the controller of personal data or the implementation of precontractual measures taken in response to the request of the registered,
- the conclusion or performance of a contract between the controller of personal data and a third party which is in the interest of the registered person,
- the establishment, exercise or defence of legal claims, or
- the protection of vital interests of the registered person.
The Swedish Personal Data Act also allows transfers of personal data to countries who have acceded to the Council of Europe Convention nr 108, for the Protection of Individuals with regard to Automatic Processing of Personal Data, provided that the data only will be used in such a country.
Such safeguards could be specific contractual clauses that regulate the transfer in order to protect the individuals' rights. The Personal Data Ordinance contains rules that allow third country transfers of personal data if the transfer takes place based on certain standard contractual clauses approved by the EU Commission.
Furthermore, The Data Protection Authority may allow third country transfers if there are adequate safeguards for the protection of the registered persons' rights. This can be done either by generally applicable statutes or in individual decisions. One example is transfers based on Binding Corporate Rules (BCRs) which have been permitted by the Swedish Data Protection Authority as well as by other data protection authorities in the EU countries.
Standard contractual clauses are contractual clauses that include obligations for personal data controllers who wish to transfer data to third countries, as well as obligations for those controllers or personal data processors who receive the data. The clauses also regulate other aspects in connection with the transfer, such as the data subjects' rights and dispute resolution. The contractual clauses aim at providing adequate safeguards for the protection of individuals' rights when personal data is transferred to countries without an adequate level of protection.
There are three different sets of standard contractual clauses to choose from. All of them have been approved by the EU Commission. Two of them regard transfers of data to other personal data controllers in third countries. The third set of clauses refers to data transfers to processors in a third country. Third country transfers of personal data based on any of these sets of contractual clauses are explicitly permitted according to the Personal Data Ordinance, and there is no need to apply for a specific decision from The Data Protection Authority.
The term Binding Corporate Rules (or BCRs) describes rules that a multinational company group may have adopted in order to regulate their personal data processing. Data transfers among companies in the group could mean that data is transferred from the EU/EEA to third countries. The EU Data Protection Directive as well as the Swedish Personal Data Act give room for allowing such transfers if there are adequate safeguards for the protection of individuals' rights. BCRs could be such safeguards.
The Article 29 Working Party (with representatives from the data protection authorities in the EU member states) has published several documents containing guidance on what BCRs should include. Furthermore, the national data protection authorities in the EU have set up a procedure to jointly discuss and assess draft BCRs since personal data often will be transferred from several different EU/EEA-countries. The Article 29 Working Party has also developed a standardized application form for approval of BCRs.
The cooperation between data protection authorities can simplify and contribute to a coordinated assessment of BCRs. However, a data protection authority in another state cannot decide to permit a Swedish subsidiary in the company group to transfer personal data from Sweden. The Swedish company must submit an application to the Data Protection Authority. It is consequently not sufficient that the parent company in a group, established in London for example, has obtained an approval from the UK data protection authority. The Swedish company must still wait for approval from the Swedish Data Protection Authority. The approval only refers to the question of whether or not data can be transferred to a third country. The personal data processing that is performed in Sweden must still comply with the rules in the Personal Data Act.
In principle, all personal data processing must be notified but there is a great number of exemptions from this rule. For example, a controller who has appointed a data protection officer within the company does not have to notify the personal data processing. Furthermore, certain kinds of processing operations which are not likely to lead to privacy infringement do not have to be notified according to The Data Protection Authority Code of Statutes.
There is no requirement for a specific notification when personal data is to be transfered to a third country. However, the processing of personal data as such might have to be notified according to the general rules in Section 36 of the Personal Data Act. This means that no specific notification is required for data transfers to someone in the US who has adhered to the Safe Harbor principles or data transfers to any of the countries that the EU Commission has assessed to have an adequate level of protection. Nor is a specific notification (or submission of copies of the contract) required for transfers based on the standard contractual clauses.
However, a controller who wants to refer to other safeguards for protection of the individuals' rights in connection with transfers to third countries, e.g. through Binding Corporate Rules, must apply to the Data Protection Authority for an exemption from the principal ban on such transfers. There are no formal requirements for what such an application should include but the standardized application form of the Article 29 Working Party can be used as guidance.