Re: Legal basis for transfer of personal data from the EU to outside the EU from Mark @ OC on 2020-03-02 (public-dpvcg@w3.org from March 2020)

From: Mark @ OC <mark@openconsent.com>
Date: Mon, 2 Mar 2020 14:45:24 -0500
To: Georg Philip Krog <georg@signatu.com>
Cc: public-dpvcg@w3.org
Message-Id: <A7E8FD06-3589-49D2-9705-EEC672F853C4@openconsent.com>
Thanks Georg, 

Very timely !! 




> On 2 Mar 2020, at 08:53, Georg Philip Krog <georg@signatu.com> wrote:
> 
> Hi all,
> 
> Signatu contributes to the dpv with the following:
> 
> 1. Legal basis for transfer of personal data from the EU to outside the EU:
> 
> 
>  
> Category Description Tag Legal Basis for Transfer under GDPR
> Transfer inside the EU Personal data can flow freely inside the EU between EU countries and the three EEA countries Norway, Lichtenstein and Iceland Transfer_EU_EEA signatu-gdpr:
> Transfer from EU to a third country. Third country has Adequacy Decision. Personal data can flow freely from the EUto a certified company in the US under the EU-US Privacy Shield EU_US_Privacy_Shield signatu-gdpr: 45-3
> Transfer from EU to a third country. Third country has Adequacy Decision. Personal data can flow freely from the EU to a third country with an Adequacy Decision without any further safeguard being necessary (name countries) Adequacy_Decision signatu-gdpr: 45-3
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. A legally binding and enforceable instrument between public authorities or bodies Instrument_Between_Public_Authorities signatu-gdpr: 46-2-a
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. Binding corporate rules Binding_Corporate_Rules signatu-gdpr: 46-2-b
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. Standard data protection clauses adopted by the Commission Standard_Clauses_Commission signatu-gdpr: 46-2-c
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. Standard data protection clauses adopted by a Supervisory Authority Standard_Clauses_Authority signatu-gdpr: 46-2-d
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights Approved_Code_Conduct signatu-gdpr: 46-2-e
> Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority. An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to appy the appropriate safeguards, including as regards individuals` rights Certification signatu-gdpr: 46-2-f
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority. Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation. Contractual_Clauses signatu-gdpr: 46-3-a
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority. Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights Administrative_Agreement signatu-gdpr: 46-3-b
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. Explicit_Consent signatu-gdpr: 49-1-a
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request. Contract_Subject signatu-gdpr: 49-1-b
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person. Contract_Not_Subject signatu-gdpr: 49-1-c
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The transfer is necessary for important reasons of public interest. Public_Interest signatu-gdpr: 49-1-d
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The transfer is necessary for the establishment, exercise or defence of legal claims. Legal_Claims signatu-gdpr: 49-1-e
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent. Vital_Interests signatu-gdpr: 49-1-f
> Transfer from EU to a third country. Third country has not Adequacy Decision. Appropriate safeguards do not exist. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. From_Public_Register signatu-gdpr: 49-1-g
> Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist and no other options apply. The transfer is not repetetive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. Legitimate_Interest signatu-gdpr: 49-1-second-paragraph
> The transfer is exempt - e.g. a transfer within the same company. Exempt 
> The legal basis for the transfer is unknown. Unkown 
> 
> 
> 2. A suggestion to make a dpv that is global/universal
> 
> Currently, the dpv is specific for the EU/GDPR.
> 
> A universal dpv should have a structure that allows for meta mapping of the same concepts that are named differently in different jurisdictions/law regimes.
> 
> Kind regards,
> Georg
> -- 
> Georg Philip Krog
> 
> signatu <https://signatu.com/>
Received on Monday, 2 March 2020 19:43:59 UTC