Σωτήριος Καλαμίτσης

Εταιρεία Δικηγόρων

Transfer of Personal Data from Greece to Third Countries

According to EU 1 and Greek legislation 2 transfer of personal data to a non EU/EEA country may take place

I. upon a permit by the Greek Personal Data Protection Authority (DPA) which is granted

a. when DPA is satisfied that the non EU/EEA country ensures an adequate level of protection 3. To this end DPA shall take into account the nature of the data, the purpose and the duration of the processing, the pertinent general and specific rules of law, the codes of conduct, the security measures for the protection of personal data, as well as the protection level in the countries of origin, transit and final destination of the data.

b. exceptionally, when DPA does not consider the non EU/EEA country to ensure an adequate level of protection, but one or more of the following conditions are met:

i. the data subject has consented to the transfer (unless such consent has been extracted in a manner contrary to the law or bonos mores).

ii. the transfer is necessary 1) in order to protect the vital interests of the data subject, provided s/he is physically or legally incapable of giving his/her consent, or 2) for the conclusion and performance of a contract between the data subject and the Controller or between the Controller and a third party in the interest of the data subject, if s/he is incapable of giving his/her consent, or 3) for the implementation of pre-contractual measures taken in response to the data subject’s request.

iii. the transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for the performance of a co-operation agreement with the public authorities of the other country, provided that the Controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the exercise of the corresponding rights.

iv. the transfer is necessary for the establishment, exercise or defense of a right in court.

v. the transfer is made from a public register which by law is intended to provide information to the public and which is accessible by the public or by any person who can demonstrate legitimate interest, provided that the conditions set out by law for access to such register are in each particular case fulfilled.

vi. the Controller shall provide adequate safeguards with respect to the protection of the data subjects’ personal data and the exercise of their rights, when the safeguards arise from contractual clauses which are in accordance with the regulations of Greek law No. 2472/1997. 4 Such contractual clauses must ensure that the main principles of EU data protection legislation shall be applied, that is that the data should only be collected for specified, explicit and legitimate purposes, that the subjects must be informed of such purposes and of the details of the controller and be able to access and have their data corrected, and that appropriate remedies must be available in the event of a failure to ensure adequate protection, including compensation or damages through the competent courts 5.

II. with no DPA permit being required, when

a. the European Commission has determined [Article 25(6) of Directive 95/46/EC] that the non EU/EEA country to which the data shall be transferred ensures an adequate level of protection by reason of its domestic law or of the international commitments such country has entered into [article 9§1.α of Greek law No. 2472/1997]. The Commission has so far (April 10th, 2015) recognized the following non EU/EEA countries to provide adequate protection: Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay 6. Further to that data may be transferred to entities in the United States that have been (self)certified as committed themselves to the privacy principles set forth in the EU-US Privacy Shield agreement 7.

b. the transfer shall take place following contractual clauses agreed upon between transferor (data exporter) and transferee (data importer) that offer adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals in accordance with the decisions of the European Commission [under article 26§4 of Directive 95/46/EC]. Here we talking again about data protection safeguards set through contractual clauses, as in the case of I.b.vi. mentioned above. The difference is that in this particular case the contractual clauses have been pre-approved by the European Commission, thus the law does not require for DPA’s additional approval through its granting a permit for the transfer [see 9§2.στ of Greek law No. 2472/1997]. More specifically, the Commission has issued sets of standard rules for data transfers to Controllers or Processors established in non EU/EEA countries 8. The interested parties may either use such standard clauses in the form of a special contract or incorporate such into a wider contract. “The standard contractual clauses are only one of several possibilities under the EU data protection Directive (95/46/EC) for lawfully transferring personal data outside the EU. They are not compulsory for businesses. However the advantage of using these standard clauses when transferring personal data to processors in countries outside the EU is that, on one hand, companies are obliged to comply with data protection standards and, on the other hand, Member States’ data protection authorities are obliged to recognise that these transfers enjoy adequate protection. 9 The Greek DPA requests that when transfer is to be made on the basis of these pre-approved clauses, their exact wording – as approved by the Commission – must be adopted 10 and a duly sealed and signed copy of the agreement be submitted to it (the DPA) together with the transfer notification form. One should add to the above that a DPA may still block transfers made on the basis of these standard clauses, when the law to which the data importer is subject obliges it to derogate from the relevant data protection rules beyond the restrictions necessary in a democratic society (as provided for in Article 13 of Directive 95/46/EC) where those derogations are likely to have a substantial adverse effect on the guarantees provided by the standard contractual clauses, as well as in all cases where the contractual clauses are not being applied by the parties or there is a substantial likelihood that they are not or will not be applied and imminent risk of harm for the subjects of the data. 11

Finally, in the case of multinational groups of companies, EU legislation provides that transfers from Group Members established within the EU/EEA to Group Members established outside the EU/EEA may take place on the basis of Binding Corporate Rules, i.e. a set of rules adopted by the Group that adduces for safeguards for the protection of the privacy, fundamental rights and freedoms of individuals with respect to personal data transfers. Such set of rules goes through the EU cooperation procedure for approval from all competent national Data Protection Authorities and once approved allows the Group to proceed with transfers without its members having to enter into separate contracts each time a transfer is to be effected 12

In all events, even when no permit is required, the Greek DPA must be notified prior to any transfer of personal data to non EU/EEA countries. 13

 by Nikos Kalamitsis

27.11.2016

  1. Relevant: Articles 25 & 26 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  2. article 9 of Greek law No. 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data
  3. article 9§1.β of Greek law No. 2472/1997
  4. article 9§2 of Greek law No. 2472/1997, as translated here. Also see article 26§1 & 2 of Directive 95/46/EC.
  5. and by “competent courts” one should understand and provide for that the subject shall be entitled to take court action in the country where s/he resides or at least in the country where the controller/data exporter is established, as taking court action in the country where the data importer is established could entail disproportionate difficulties for the data subject).
  6. http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
  7. http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm
  8. http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm
  9. Memo dated February 5th, 2010 on the Commission Decision C(2010)593 regarding the updated standard set of rules for transfers to processors established outside EU/EEA countries.
  10. They may also use different wording on the condition that any the clause does not contradict, directly or indirectly, the Commission’s standard protection clauses nor does it prejudice the data subject’s fundamental freedoms and rights.
  11. Commission’s decisions on the adoption of each set of contractual rules (there are two for transfers from Controllers to Controllers and one for transfers from a Controller to a Processor in third countries) include specific reasons for blocking transfers under such clauses. The text above summarizes the main reasons for blocking the transfer.
  12. . It goes without saying that the adoption and approval of BCR does not relieve the data transferors (exporters) of any other obligations (such as notifying the competent DPA as weel as the data subjects prior to any new transfer, not covered by previous notifications). 14for details om BCR see European Commission’s presentation here & Greek DPA’s one here (in Greek)
  13. It goes without saying that the transferor must have also notified DPA of his/her/its processing personal data within the Greek territory, unless he/she/it is exempted from such a notification according to Article 7a§1 of Greek law No. 2472/1997.