Table of Contents
This is the second part about GDPR. The first part of GDPR-practical examples is also available.
Can a statutory authority discharge its obligations in regard to data protection by outsourcing the collection, storage, and processing of personal data to another organization?
No. If data handling is outsourced then the company is acting as a data controller and the company which provides outsourcing as a processor, but both have obligations under GDPR.
An online retailer uses a payment company to process its customer transactions. Is the payment company acting as the data processor for the retailer?
No.
The payment company exercises the control over the type of information collected about customers from the retailer, decides how the information is processed and how long it is kept, and has its own terms and conditions that apply directly to the customers.
Can personal data be transferred out of one of the EU country except to another member state of the EEA?
It depends.
Subject data may be transferred to another country outside the EEA, if that country’s data protection laws have been approved by the European Commission, or if the level of protection has been assessed as adequate. For countries where the Commission has not made a ruling that there are adequate safeguards, personal data may still be transferred to those countries under certain specific circumstances. These include where the transfer is not made by a public authority in the exercise of its powers, involves data related to only a limited number of individuals, or is necessary for compelling legitimate interests of an organisation.
Can personal data be transferred out of the one of the EU country provided that the destination country’s data protection laws have been approved by the European Commission?
Yes.
The European Commission publishes a list of countries whose data protection laws and rights have been reviewed and are deemed adequate (see https://gdpr-info.eu/issues/third-countries/).
Simply assessing the rights of data subjects in the destination country is insufficient: the level of rights must be shown to be ‘adequate’.
The controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.