Skip to main content

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR, even the recitals do not mention transmission of personal data to other European organisations.
Of course, the use of processors is regulated in both acts, but not the transmission to another controller.
It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the same reasons apply as for the EU institutions -  in fact even stricter as the only basis is public interest. All other bases of processing by EU institutions (consent, contract, legal obligation, vital interest) are not applicable. I would say these are not applicable as these (in particular consent) concern a relationship between the new controller or the data subject or a specific aspect related to the data subject (i.e. vital interest). Actually, this latter reason for transmission of data could be legitimate, but it is not enabled by the Regulation.
In the absence of specific rules, and as according to the definition, disclosure by transmission is processing, the general rules for the lawfulness of processing apply to controllers who fall under the GDPR.
Thus, data can be transmitted to another controller under the GDPR when processing by the other controller is also lawful under Article 6 and, if special categories of data are concerned, Article 9 GDPR.
These conditions apply cumulatively - for example if processing special categories of data is necessary for the establishment, exercise or defence of legal claims, as this lawfulness basis is not contained in Article 6, another basis has to exist also. In the GDPR, this could be legitimate interest (thus, the legal claim has to be legitimate). For EU institutions, as legitimate interest is not a basis of lawfulness for them, public interest must exist.
This cumulative nature of requirements of lawfulness according to Article 6 GDPR (Article 5 EUDPR) and the specific conditions also exists in relation to special categories of data - i.e. Article 10 EUDPR or 9 EUDPR. Of course in most cases the requirements towards processing special categories of personal data or transferring personal data to outside the EEA are in principle more strict that just for processing. There are nevertheless differences. For example, special categories of data can be processed if the data subject has manifestly made them public. This alone, however, does not fulfil the requirements of Article 6(1) - meaning that processing public data is not a free for all, but if there s a legitimate reason to process them and the data subject has made them manifestly public, also special categories of data can be processed.
The cumulativity of legal bases is especially interesting in the case of transfers - which, other than transmission, is transfer to outside the EEA The general requirement is that transfer can only be done if the data are as well protected at the recipient as in the EEA. But only in principle. The conditions of transfer in chapter V. concentrate namely on ensuring equivalent protection to European rules. Therefore transfer is possible if an adequacy decision exists or if appropriate contractual clauses can be signed (and, since the Schrems-ii decision at least, complied with). But if the transfer (which is also processing) is not also justified by a basis in Article 6 (and, if applicable, 9), the adequacy decision or standard contractual clauses are not sufficient. It would indeed be funny if you could only process data under the conditions but transfer would be possible just based on an adequacy decision (which is specific for a country, but does not say anything about the recipient) or other "transfer tool". And even when processing by yourself has a reason accepted as basis for lawfulness, transfer may not be necessary for the same reason - for example the controller has a contract with the data subject but the recipient has nothing to do with that contract.
The requirements of transfer in case of derogations are more similar to and stricter than the lawfulness bases of processing. Once they are fulfilled, probably the general lawfulness conditions are complied with also. But as it is not hundred percent certain, these latter cannot be forgotten either. One typical example is the derogation concerning public directories - in this case data can be transferred to third countries or international organisations. Only then, however, if the processing, including the transfer, is legitimate under Article 6. This is the essence of the cumulativity of the conditions.


Labels:

Comments

Post a Comment

Popular posts from this blog

A Hungarian case about processing data based on law - what are the requirements?

This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be. The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law. For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data ...
Post a Comment
Read more

Doubts around data transfer - use of derogations

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more