PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - June 2006

June 2006


How can I legally export data from within Europe?


 

The European Data Protection directive upon which current local laws are based (Directive 95/46/EC adopted in 1995) introduced the requirement to ensure that transfers of personal data outside the European Economic Area (EU countries plus Norway, Liechtenstein and Iceland) must only be made if data protection in the receiving country was “adequate” to ensure the rights and freedoms of the individuals whose data was being transferred.

 

The European Commission is able to designate certain countries as “adequate” and the countries now regarded as adequate for the transfer of non-sensitive data are Switzerland, Canada, Argentina, Guernsey and the Isle of Man.  In addition US companies who have signed up to the “Safe Harbor” scheme are also designated as adequate. Data transfers to these countries are unlikely to be problematic – as long as suitable terms and conditions are applied.

 

If you are transferring to countries without adequacy and you do not have specific consent for the transfer, there are two other ways of ensuring that the transfer is legal.

 

For international transfers within company one solution is the adoption of Binding Corporate Rules (BCRs), however, the process of creating these rules and getting them approved is lengthy. The General Electric Company became the first company to gain authorisation from the UK’s Information Commissioner for BCRs last year after waiting nearly two years for their adequacy decision.

 

The most practical route then is the adoption of a contract between the exporting and importing companies. These contracts have to meet the standards that have been laid down by the European Commission and a set of standard contractual clauses for adequate transfers have now been proposed by the International Chamber of Commerce and agreed by the Commission. The Commission’s agreement means that transfers made under contracts containing these clauses can be said to offer full protection for personal data that is transferred.

 

The broad purpose of the clauses is to ensure that when Personal Data is transferred the protections available in the originating country are maintained: The Exporter and Importer share the requirement to exercise due diligence over the origin and processing of the data; the Importer must warrant that local laws will not prevent him from abiding by the agreement with the exporter and the circumstances in which termination of the contract may take place are fully explored; the clauses allow for one contract to cover multiple transfers.

 

The adoption of these new contractual clauses should ensure that marketers are able to share data with companies in other geographies with greater confidence.




Other recent items: