Legal basis for transfer of personal data from the EU to outside the EU from Georg Philip Krog on 2020-03-02 (public-dpvcg@w3.org from March 2020)

From: Georg Philip Krog <georg@signatu.com>
Date: Mon, 2 Mar 2020 14:53:29 +0100
To: public-dpvcg@w3.org
Message-ID: <CAPOUEwn_tp1jc61URU1TrKoVWPOAo+JrO-uqt-hPVhY6vzq5Yw@mail.gmail.com>
Hi all,

Signatu contributes to the dpv with the following:

*1. Legal basis for transfer of personal data from the EU to outside the
EU:*



Category Description Tag Legal Basis for Transfer under GDPR
Transfer inside the EU Personal data can flow freely inside the EU between
EU countries and the three EEA countries Norway, Lichtenstein and Iceland
Transfer_EU_EEA signatu-gdpr:
Transfer from EU to a third country. Third country has Adequacy
Decision. Personal
data can flow freely from the EUto a certified company in the US under the
EU-US Privacy Shield EU_US_Privacy_Shield signatu-gdpr: 45-3
Transfer from EU to a third country. Third country has Adequacy
Decision. Personal
data can flow freely from the EU to a third country with an Adequacy
Decision without any further safeguard being necessary (name countries)
Adequacy_Decision signatu-gdpr: 45-3
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. A legally
binding and enforceable instrument between public authorities or bodies
Instrument_Between_Public_Authorities signatu-gdpr: 46-2-a
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. Binding
corporate rules Binding_Corporate_Rules signatu-gdpr: 46-2-b
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. Standard data
protection clauses adopted by the Commission
Standard_Clauses_Commission signatu-gdpr:
46-2-c
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. Standard data
protection clauses adopted by a Supervisory Authority
Standard_Clauses_Authority signatu-gdpr: 46-2-d
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. An approved
code of conduct pursuant to GDPR Article 40 together with binding and
enforceable commitments of the controller or processor in the third country
to apply the appropriate safeguards, including as regards individuals´
rights Approved_Code_Conduct signatu-gdpr: 46-2-e
Transfer from EU to a third country. Third country has no Adequacy
Decision. Third country has appropriate safeguards. Transfer does not
require specific authorisation from a Supervisor Authority. An approved
certification mechanism pursuant to GDPR Article 42 together with binding
and enforceable commitments of the controller or processor in the third
country to appy the appropriate safeguards, including as regards
individuals` rights Certification signatu-gdpr: 46-2-f
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards exist. Transfer does requires specific
authorisation from a Supervisor Authority. Contractual clauses with
controller, processor or recipient of the personal data in the third
country or the international organisation. Contractual_Clauses signatu-gdpr:
46-3-a
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards exist. Transfer does requires specific
authorisation from a Supervisor Authority. Provisions to be inserted into
administrative arrangements between public authorities or bodies which
include enforceable and effective data subject rights
Administrative_Agreement signatu-gdpr: 46-3-b
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The data subject has
explicitly consented to the proposed transfer, after having been informed
of the possible risks of such transfers for the data subject due to the
absence of an adequacy decision and appropriate safeguards.
Explicit_Consent signatu-gdpr:
49-1-a
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The transfer is necessary
for the performance of a contract between the data subject and controller
or the implementation of pre-contractual measures taken at the data
subject´s request. Contract_Subject signatu-gdpr: 49-1-b
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The transfer is necessary
for the conclusion or performance of a contract concluded in the interest
of the data subject and controller and another natural or legal person.
Contract_Not_Subject signatu-gdpr: 49-1-c
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The transfer is necessary
for important reasons of public interest. Public_Interest signatu-gdpr:
49-1-d
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The transfer is necessary
for the establishment, exercise or defence of legal claims.
Legal_Claims signatu-gdpr:
49-1-e
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist. The transfer is necessary in
order to protect the vital interests of the data subject or of other
persons, where the person is physically or legally incapable of giving
consent. Vital_Interests signatu-gdpr: 49-1-f
Transfer from EU to a third country. Third country has not Adequacy
Decision. Appropriate safeguards do not exist. The transfer is made from a
register which according to Union or Member State law is intended to provide
information to the public in general or by any person who can
demonstrate a legitimate
interest, but only to the extent that the conditions laid down by Union or
Member State law for consultation are fulfilled in the particular case.
From_Public_Register signatu-gdpr: 49-1-g
Transfer from EU to a third country. Third country has no Adequacy
Decision. Appropriate safeguards do not exist and no other options apply. The
transfer is not repetetive, concerns only a limited number of data
subjects, is necessary for the purposes of compelling legitimate interests
pursued by controller which are not overridden by the interests or rights
and freedoms of the data subject, and controller has assessed all the
circumstances surrounding the data transfer and have on the basis of that
assessment provided suitable safeguards with regard to the protection of
personal data. Legitimate_Interest signatu-gdpr: 49-1-second-paragraph
The transfer is exempt - e.g. a transfer within the same company. Exempt
The legal basis for the transfer is unknown. Unkown


*2. A suggestion to make a dpv that is global/universal*

Currently, the dpv is specific for the EU/GDPR.

A universal dpv should have a structure that allows for meta mapping of the
same concepts that are named differently in different jurisdictions/law
 regimes.

Kind regards,
Georg
-- 
Georg Philip Krog

signatu <https://signatu.com>
Received on Monday, 2 March 2020 14:20:17 UTC