Facilitating the transfer of personal data to Asian countries – works on the EC decision on adequacy for Japan continue

The European Commission is working on the adoption of a decision on the level of personal data protection for Japan. This will be the first decision of this type issued on the basis of the provisions of the GDPR. The draft decision was approved by the European Data Protection Board in December this year. Negotiations on the commencement of the decision on adequacy procedure are also conducted by South Korea.

Plans to adopt a decision on adequacy for Japan are good news for EU entrepreneurs transferring personal data to this country, e.g. within a capital group or outsourcing of services, because it will enable the transfer of personal data without the need to establish additional security e.g. in the form of binding corporate rules. After the adoption of the decision, the data may be transferred to Japan on the same basis as to the countries within the EU.

Countries that provide an adequate level of data protection

The European Commission issued decisions on adequacy also before the GDPR was in force, based on its predecessor – Directive 95/46/EC. These decisions remain in force until they are amended, replaced or repealed. Thanks to them, personal data can be transferred to:

• Andorra
• Argentina
• Australia (to a limited extent)
• Guernsey
• Israel
• Canada
• New Zealand
• United States (to a limited extent – for entities that are members of the Privacy Shield program)
• Switzerland
• Uruguay
• Isle of Man
• Faroe Islands

Countries not considered as ones that provide an adequate level of data protection

If the data is sent to a country outside the EU and EEA not included in the above list, such as Russia, Ukraine or Turkey or for example data is transferred to US entities who are not participants of the Privacy Shield program, additional steps will be taken to ensure data security, e.g. :

– binding corporate rules,

– standard contract clauses,

– certification mechanism.

Conditional data transfer

If none of the above safeguards has been accepted, the transfer of data to a third country may take place only exceptionally, provided that one of the conditions indicated in art. 49 par. 1 of GDPR occurs. The reasons for this are, among others:

1. explicit consent to the data transfer expressed by the data subject after informing him or her about the lack of adequate safeguards, including the absence of a decision of EC and the risks associated with it,
2. the necessity of transfer for performance of the contract between the data subject and the data controller,
3. the necessity of transfer to the conclusion or performance of a contract concluded in the interest of the data subject,
4. the necessity of transfer due to public interest or to establish, assert or protect claims,
5. the necessity of a transfer to protect the vital interests of the data subject or of other persons if the data subject is physically or legally incapable of giving his consent.

Data transfer based on the conditions described above is an exceptional situation and should not be abused. In accordance with the guidelines of the European Data Protection Board, transfer described above cannot be the basis for the legal transfer of personal data to third countries within the capital group in which the services are outsourced.

Although, at first glance, the legalization of the transfer by obtaining the consent of the data subject may seem the easiest solution for entrepreneurs, it should only be used exceptionally. This consent must meet stricter requirements than the standard consent for data processing. It must be clear, specific (non-blank) and deliberate – and therefore preceded by reliable information about the lack of personal data security and the associated risk. In addition, the consent may be revoked at any time.