Skip to main content

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR, even the recitals do not mention transmission of personal data to other European organisations.
Of course, the use of processors is regulated in both acts, but not the transmission to another controller.
It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the same reasons apply as for the EU institutions -  in fact even stricter as the only basis is public interest. All other bases of processing by EU institutions (consent, contract, legal obligation, vital interest) are not applicable. I would say these are not applicable as these (in particular consent) concern a relationship between the new controller or the data subject or a specific aspect related to the data subject (i.e. vital interest). Actually, this latter reason for transmission of data could be legitimate, but it is not enabled by the Regulation.
In the absence of specific rules, and as according to the definition, disclosure by transmission is processing, the general rules for the lawfulness of processing apply to controllers who fall under the GDPR.
Thus, data can be transmitted to another controller under the GDPR when processing by the other controller is also lawful under Article 6 and, if special categories of data are concerned, Article 9 GDPR.
These conditions apply cumulatively - for example if processing special categories of data is necessary for the establishment, exercise or defence of legal claims, as this lawfulness basis is not contained in Article 6, another basis has to exist also. In the GDPR, this could be legitimate interest (thus, the legal claim has to be legitimate). For EU institutions, as legitimate interest is not a basis of lawfulness for them, public interest must exist.
This cumulative nature of requirements of lawfulness according to Article 6 GDPR (Article 5 EUDPR) and the specific conditions also exists in relation to special categories of data - i.e. Article 10 EUDPR or 9 EUDPR. Of course in most cases the requirements towards processing special categories of personal data or transferring personal data to outside the EEA are in principle more strict that just for processing. There are nevertheless differences. For example, special categories of data can be processed if the data subject has manifestly made them public. This alone, however, does not fulfil the requirements of Article 6(1) - meaning that processing public data is not a free for all, but if there s a legitimate reason to process them and the data subject has made them manifestly public, also special categories of data can be processed.
The cumulativity of legal bases is especially interesting in the case of transfers - which, other than transmission, is transfer to outside the EEA The general requirement is that transfer can only be done if the data are as well protected at the recipient as in the EEA. But only in principle. The conditions of transfer in chapter V. concentrate namely on ensuring equivalent protection to European rules. Therefore transfer is possible if an adequacy decision exists or if appropriate contractual clauses can be signed (and, since the Schrems-ii decision at least, complied with). But if the transfer (which is also processing) is not also justified by a basis in Article 6 (and, if applicable, 9), the adequacy decision or standard contractual clauses are not sufficient. It would indeed be funny if you could only process data under the conditions but transfer would be possible just based on an adequacy decision (which is specific for a country, but does not say anything about the recipient) or other "transfer tool". And even when processing by yourself has a reason accepted as basis for lawfulness, transfer may not be necessary for the same reason - for example the controller has a contract with the data subject but the recipient has nothing to do with that contract.
The requirements of transfer in case of derogations are more similar to and stricter than the lawfulness bases of processing. Once they are fulfilled, probably the general lawfulness conditions are complied with also. But as it is not hundred percent certain, these latter cannot be forgotten either. One typical example is the derogation concerning public directories - in this case data can be transferred to third countries or international organisations. Only then, however, if the processing, including the transfer, is legitimate under Article 6. This is the essence of the cumulativity of the conditions.


Comments

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...