g-docweb-display Portlet

Authorisation for the Transfer of Personal Data to Data Processors Established in Third Countries in Compliance with Standard Contractual Clauses ...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1669750]

Trasferimento dei dati personali all´estero -Autorizzazione al trasferimento verso Paesi senza adeguato livello di protezione

Authorisation for the Transfer of Personal Data to Data Processors Established in Third Countries in Compliance with Standard Contractual Clauses - 10 april 2002

Garante per la protezione dei dati personali

Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr Mauro Paissan, members, and Mr Giovanni Buttarelli, Secretary General, having convened today,

Having regard to Article 25 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, providing that personal data may be transferred to a country outside the European Union if the third country in question ensures an adequate level of protection, as set forth in paragraph 2 of the abovementioned Article,

Having regard to Article 26 of the abovementioned Directive, laying down derogations from said principle and also providing that a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection, where the data controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights, such safeguards also resulting from appropriate contractual clauses,

Having regard to paragraph 4 of said Article 26, concerning the European Commission´s decisions on standard contractual clauses,

Having regard to the European Commission´s decision no. 2002/16/EC of 27 December 2001, as published on the Official Journal of the European Communities L6/52 of 10 January 2002, according to which certain standard contractual clauses, annexed to said decision, offer sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights for the transfer of personal data to processors established in third countries as required by Article 17(3) and Article 26(2) of Directive 95/46/EC,

Whereas Member States are required to take the necessary measures to comply with the Commission´s decision in pursuance of paragraph 4 of said Article 26 of the Directive,

Having regard to Section 28 of Act no. 675 of 31 December 1996 as amended by Section 10 of legislative decree no. 467 of 28.12.2001, providing that the transfer of personal data to third countries may take place a) where the laws of the country of destination or transit ensure an adequate level of protection of individuals, b) in the cases referred to in paragraph 4 of Article 28, or c) where it is authorised by the Garante on the basis of adequate safeguards for the data subject´s rights, which may either result from contractual arrangements or be specified by the European Commission in accordance with the decisions referred to in Article 25(6) and in Article 26(4) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (paragraph 4, subheading g) ),

Having regard to Decision no. 35 of 10.10.2001, by which this Authority authorised the transfer of personal data from the State´s territory to third countries in compliance with the standard contractual clauses annexed to European Commission´s decision  no. 2001/497/EC of 15.06.2001,

Whereas the abovementioned new standard contractual clauses – which the Commission has drafted by including 11 clauses and 3 Annexes, also based on the favourable opinion given by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of the Directive – offer safeguards with respect to data subjects´ rights that can be considered adequate in pursuance of Section 28(4), subheading g), of Act no. 675/1996,

Whereas the entities using the above contractual clauses may lay down further safeguards for the individuals to whom the data refer, in addition to the minimum safeguards that are set forth in said clauses,

Whereas the Commission´s decision only applies to the transfer of data that is performed from the State´s territory by a controller established in the Community (data exporter) to a processor in charge of the same processing (data importer) that is established in a third country where no adequate level of protection is ensured, and the standard contractual clauses applying to the transfer of data that is performed by a controller established in the Community to another controller established in a third country have already been specified in the abovementioned Commission´s decision no. 2001/497/EC,

Whereas it is necessary to publicise further the abovementioned contractual clauses by having them published on the Official Journal of the Italian Republic as an Annex to this authorisation,

Whereas it is necessary to lay down a few specifications in pursuance of the tasks committed to this Authority, which have been also referred to in the Commission´s decision, to the extent required for initially implementing this authorisation,

Whereas the possibility for the Garante to play, on a case by case basis, the mediation role that is referred to in clause 7, paragraph 1, subheading a), of the Commission´s decision, is hereby left unprejudiced,

Whereas this is without prejudice to the possibility for the Garante to specify additional requirements and mechanisms on the basis of the experience gathered in implementing the clauses, also at Community level,

Having regard to official records,

Having regard to the considerations made by the Secretary General on behalf of the Authority, as required by Article 15 of the Garante´s Regulations no. 1/2000,

Acting on the report submitted by Prof. Gaetano Rasi,

THE GARANTE HEREBY

1) authorises, as of 3 April 2002, the transfer of personal data from the State´s territory to countries outside the European Union, where it is performed on the basis of and in compliance with the standard contractual clauses annexed to the European Commission´s decision no. 2002/16/EC of 27 December 2001, on condition that:

a) the data exporter and the data importer refer to or incorporate the clauses in the data transfer contract so as to make them also recognisable for the individuals to whom the data refer, where they request to be informed about the clauses, and also disclose a summary description of the security measures they have adopted, where the abovementioned individuals so request, and refrain from laying down contractual provisions that either impose limitations on or contradict the standard contractual clauses (see Clause no. 4, letter h) and no. 5, letter g), and Recital no. 4 in the Commission´s decision),

b) a copy of the data transfer contract and additional information as required will only be made available to the Garante if the latter so requests (see Clause no. 8 and Section 32(1) of Act no. 675/1996),

c) the decision made in case a dispute cannot be resolved amicably and is referred to an entity other than the Garante or judicial authority is notified to the Garante (see Clause 7(2) and (1), letter a);

2) reserves the right - in pursuance of Community law, Act no. 675/1996 and Article 4 of the Commission´s decision - to perform the necessary controls with regard to lawfulness and fairness of both the data transfer and processing operations, and to provide for possibly blocking or prohibiting the transfer;

3) orders that this authorisation and the Commission´s decision annexed hereto be sent to the Publishing Department at the Ministry of Justice for them to be printed on the Official Journal of the Italian Republic.

Done in Rome, this 10th day of April 2002

The President
Rodotà

The Rapporteur
Rasi

The Secretary General
Buttarelli