The transfer of personal data outside of the EU is only allowed under certain conditions as set out in Directive 95/46/EC and also in the General Data Protection Regulation which will be fully applicable as of May 2018. If a country is deemed by the European Commission to offer an adequate level of protection, it will be subject to the same rules as an EU Member State, which means that the recipient of the data in that state will not be obliged to take specific measures to allow for the transfer. Transferring data to a country without an adequacy decision requires appropriate safeguards, such as standard contractual clauses or binding corporate rules. Derogations to this rule can be obtained in very specific cases. The European Data Protection Board, of which the EDPS is a member, will provide the Commission with Opinions on this subject.
In the September 2017 edition of the EDPS Newsletter we cover the EDPS Opinion on the digital single gateway, the investigation of complaints relating to medical data and the latest developments in privacy engineering.
EDPS Opinion on the proposal for a Regulation establishing a single digital gateway and the ‘once-only’ principle
Prior check opinion on the notification of the OIB’s "360° tool - feedback and leadership competencies” (Case 2016-1130 / DPO-3868.1)
The Office for Infrastructure and Logistics in Brussels (OIB) has a development programme for managers using a 360° feedback tool. Managers participate on a voluntary basis in the exercise, in which their staff members, peers and superiors who agree to give feedback get to rate the manager. This allows managers to obtain anonymous feedback on their management and leadership style and to improve their management and leadership skills.
Two external providers cooperate with OIB in this exercise: a subcontractor collects individual evaluation responses per line manager through an online questionnaire and automatically generates reports; the contractor provides for individual coaching sessions to the managers. The specific roles and tasks of these two processors should be are clearly mentioned in the data protection statement. The subcontractor’s data centre is located in the United Kingdom. Forwardlooking, the EDPS highlights that future transfers might come under Article 9 of the Regulation requiring an adequate level of protection within the recipient's legal framework for transfers to third countries. In this issue, see pp.12-13 of EDPS Position paper on transfers to third countries and international organisations by EU institutions and bodies.
Prior Checking Opinion on the Import, Export and Transit Directory (IET) (Case 2016-0674 and 2013-1296)
Keynote speech by Giovanni Buttarelli to the Privacy and Security Conference 2016, Rust am Neusiedler See, Austria