The flow of personal data within the European Union (EU) is relatively simple. But what has to be done if a company has to transfer personal data to other countries?
From the point of view of data protection law, cross-border transfer of personal data is a highly sensitive operation. Slovak law regulates cross-border data transfer in compliance with European and international rules. Since the EU is based on a high degree of personal data protection, certain companies that transfer personal data abroad will have to deal with administrative measures surrounding data protection, which are required by Slovak law.
Before commencing personal data transfer
Before any cross-border transfer of personal data, the person intending to transfer the data has to specify which subjects will participate in the transfer. This will doubtless be the natural person whose personal data is being processed. Furthermore, it is the data exporter who can be in the position of controller or processor. A data importer can be either a controller (if processing personal data for its own purposes or in its own name) or a processor (if processing personal data for someone else) or a so-called third party. This specification then determines the content of the agreement on personal data transfer, which subjects have to enter into in writing, and of which the requirements are explicitly regulated by Slovak law.
Last but not least, it is important to know to which country personal data will be transferred, since this determines the obligations of the data exporter towards the natural person whose personal data is being exported, as well as towards state authorities.
Personal data transfer between member states of the EU and EEA
Free transfer of personal data is guaranteed between individual member states of the EU and also Norway, Iceland and Liechtenstein. Individual countries cannot limit or ban personal data transfer. Basically, this means that personal data transfer to these countries takes place under the same rules that apply in the case of personal data transfer within Slovakia. This regulation is important, especially with regard to the individual concerned whose data you transfer as an exporter/importer. If you do not need the individual’s consent for processing personal data under Slovak law, i.e. the individual’s personal data is processed on other legal grounds (such as the processing of personal data without consent under a separate law), you do not need the individual’s consent to transfer their personal data to another member state. This, however, does not mean that you do not have to inform the natural person whose personal data you process, and there is the obligation to take adequate security measures regarding the transfer (such as data encoding).
Personal data transfer to third countries
Another situation arises if you transfer personal data to countries which are not member states of the EU and EEA. Any other states are considered so-called third countries, with various positions regarding legal regulation of personal data transfer. The law differentiates between transfer to third countries which ensure an adequate level of personal data protection, and transfer to third countries which do not ensure an adequate level of personal data protection, and also transfer to the USA.
a) Personal data transfer to countries which ensure an adequate level of personal data protection
Third countries which ensure an adequate level of personal data protection are countries which the European Commission designates by resolution. Currently, these are: Andorra, Argentina, Australia, the Faroe Islands, Guernsey, Israel, Jersey, New Zealand, Canada, the Isle of Man, Switzerland and Uruguay. These countries have basically the same legal status as EU member states, i.e. personal data transfer to these countries takes place under the same rules.
b) Personal data transfer to countries which do not ensure an adequate level of personal data protection
If you plan to transfer personal data to somewhere other than these countries, you have several possibilities. You can include standard clauses in the agreement on personal data transfer (which are specified in the European Commission resolution) or apply binding inter-company rules approved by a data protection authority seated in an EU member state. In this case, you will not need the consent of the Slovak Data Protection Authority for the transfer of personal data. Otherwise, this consent has to be obtained prior to transfer.
c) Transfer to the USA
As a whole, the USA is not considered as a country which ensures an adequate level of personal data protection. However, to simplify economic relations and international trade between the EU and the US, the so-called Safe Harbor was drafted. Basically, American companies can voluntarily register by acceding to its rules. A list of companies which have voluntarily acceded to the Safe Harbor is kept by the US Ministry of Trade. A company listed in the Safe Harbor is considered by the EU as a company which ensures adequate personal data protection. If your company, as a data importer, is on the list, the agreement on data transfer does not have to include standard clauses and personal data transfer does not require the consent of the Data Protection Authority. IIn the case of an American company, which is not part of the Safe Harbor, the transfer agreement has to include standard clauses, otherwise the transfer will require the consent of the Office.
Katarína Babiaková LL.M., Senior Associate, bnt attorneys-at-law, s.r.o.